redirect_uri is overwritten to http although app runs on https

[paulvanbladel]

I have following configureService method

 public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc().AddRazorPagesOptions(o => o.Conventions.AuthorizeFolder("/"));

            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

            services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";

            })
                .AddCookie("Cookies")
                .AddOpenIdConnect("oidc", options =>
                {
                    options.SignInScheme = "Cookies";
                    options.Scope.Add("openid");
                    options.Scope.Add("profile");
                    options.Scope.Add("roles");
                    options.Authority = "https://my-auth-server"
                    options.ClientId = "my-mvc-client-id";
                    options.SaveTokens = true;

                });
        }

My auth server (identityserver) complains because the incoming redirect_uri coming from the mvc app is http rather than https.

Any idea?

[Tratcher]

Are you using a reverse proxy? They usually forward over http and set x-forwarded-proto. The UseForwardedHeaders middleware reads x-fowarded-proto and updates the request accordingly.

[paulvanbladel]

@Tratcher That's very alert, indeed I'm using docker swarm with a reverse proxy (traefik).
I found in the mean time an alternative approach by means of Events but I believe your suggestion is more elegant:

...
 options.RequireHttpsMetadata = false;
                    options.ClientId = "my-app";
                    options.SaveTokens = true;
                    Func<Microsoft.AspNetCore.Authentication.OpenIdConnect.RedirectContext, Task> RedirectToIdentityProvider = (ctx) =>
                    {
                        ctx.ProtocolMessage.RedirectUri = ctx.ProtocolMessage.RedirectUri.Replace("http", "https");
                        return Task.FromResult(0);
                    }
                    ;
                    options.Events = new Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectEvents
                    {
                        OnRedirectToIdentityProvider = RedirectToIdentityProvider
                    };
                });

[paulvanbladel]

@Tratcher
Something like this?

// forwarded Header middleware
            var fordwardedHeaderOptions = new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            };
            fordwardedHeaderOptions.KnownNetworks.Clear();
            fordwardedHeaderOptions.KnownProxies.Clear();

            app.UseForwardedHeaders(fordwardedHeaderOptions);

[Tratcher]

Indeed. Why are you calling Clear()?

[paulvanbladel]

Good question. No specific reason. I learn from you now, that this is a bad idea :)

[paulvanbladel]

You agree that the forwarded header middelware is better than my approach?

[Tratcher]

Yes, forwarders are better than re-writing the redirect URL. Many things check the request scheme and the forwarders will help make it correct.

[paulvanbladel]

Thanks, great to get this sorted out so clearly. Many thanks. Closing the issue.

[paulvanbladel]

Sorry, Still trouble with this.
It' still using http.
This is my ConfigureServices in my mvc app.

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Error");
            }

            // forwarded Header middleware
            var fordwardedHeaderOptions = new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.All
            };

            app.UseForwardedHeaders(fordwardedHeaderOptions);
            app.UseAuthentication();

            app.UseStaticFiles();
            app.UseMvc();
        }

so, I'm using it before the authentication middleware. Is that ok?

When I look in my STS logging (so identity server, I'm still getting)

2018-03-22T07:57:06.347479627Z fail: IdentityServer4.Validation.AuthorizeRequestValidator[0]
2018-03-22T07:57:06.347483049Z       Invalid redirect_uri: http://my-private-url/signin-oidc
2018-03-22T07:57:06.347486196Z       {
2018-03-22T07:57:06.347498051Z         "ClientId": "camp.mvc",
2018-03-22T07:57:06.347501729Z         "ClientName": "camp.mvc",
2018-03-22T07:57:06.347504911Z         "AllowedRedirectUris": [
2018-03-22T07:57:06.347508226Z           "https://my-private-url/signin-oidc"
2018-03-22T07:57:06.347511557Z         ],
2018-03-22T07:57:06.347514884Z         "SubjectId": "anonymous",
2018-03-22T07:57:06.347517943Z         "RequestedScopes": "",
2018-03-22T07:57:06.347521077Z         "Raw": {
2018-03-22T07:57:06.347524363Z           "client_id": "camp.mvc",
2018-03-22T07:57:06.347527545Z           "redirect_uri": "http://my-private-url/signin-oidc",
2018-03-22T07:57:06.347530922Z           "response_type": "id_token",
2018-03-22T07:57:06.347533966Z           "scope": "openid profile roles",
2018-03-22T07:57:06.347537014Z           "response_mode": "form_post",
2018-03-22T07:57:06.347553237Z           "nonce": "636573022262942971.ZTUwMzBiZmMtNDFlNy00MjI5LWJkM2ItMWJlNmE2NGQxMTdlNzMyZmViNzEtMDJiYS00YWNkLWE1ZGQtNmYyNjM3ZmQzOTMw",
2018-03-22T07:57:06.347557593Z         

When I use my 'hack', it works.

[blowdart]

Are the headers being added? Could you dump out the request headers in your app to make sure?

[paulvanbladel]

Yeah sorry, I first need to check what the reverse proxy is doing. I reopen the issue and report back to share with others if I need to make specific settings on nginx/traefik level to make this working.