Identityserver4: Problem with IdentityServer4 behind an IIS Reverse Proxy
Hi all,
we need to publish some APIs and a WebApplication done with .Net Core. We use an IdentityServer4 to authenticate user and secure APIs.
The problem is that if everything runs in our internal network we have no problems, but if we publish in our production environment with a Reverse Proxy done with IIS we experience authentication problems.
We can reach the WebApplication and the IdentityServer, but something goes wrong between the two.
Do you have any Idea of what I should check? Or configure differently with the Reverse Proxy?
Thank you,
Nicola.
Nicola77
All 5 comments
For your own peace of mind I would try to learn to diagnose the "something" ;)
This might help
https://github.com/aspnet/Docs/issues/2384
leastprivilege
on 24 Mar 2017
Any update on the issue? closing for now - feel free to re-open if it needs further discussion.
leastprivilege
on 29 Mar 2017
Hi @leastprivilege I finally had time to set up a test environment to simulate the problem, I might also need advice if this a correct security solution. Furthermore I read the docs you liked, but I don't really understand if they apply to IIS too and/or to my case.
I have a IIS web server with APIs inside my company LAN, APIs are developed in .NET Core.
I have a IIS web server with a web portal inside my company LAN developed in .NET Core and it consumes the above APIs.
I also have iOS and Android apps that consume APIs.
We use a wildcard SSL certificate to secure data transmission (even inside our LAN).
Both API and the web portal must be published outside on the internet because clients must be able to reach the web portal or directly the APIs depending on what they need to do.
Now I wanted to place a Reverse Proxy on a external branch (or DMZ) of the company main firewall and I was doing it using IIS with the Rewrite module. Obviously I have an internal DNS and public DNS to solve names of the APIs and web portal.
My first question is: IIS Reverse Proxy (external) -> [ (Identity Server 4) IIS again -> Kestrel (internal)] is it a good solution or do you know other cleaner way to get security in my scenario?
When I try this configuration I experience problems when I try to authenticate on the Identity Server from the internet, and no problems when I use everything from the LAN (because in this case I do not use the external Reverse Proxy) so I'm sure they are related to header forwarding as you pointed out. Do you think that using UseForwardedHeaders is going to solve the problem in my environment? Do you suggest other solutions?
Thank you for your patience and time,
Nicola.
Nicola77
on 18 Jul 2017
For anyone who runs into these types of issues, the solution will require several things. First of all you should always be using the X-Forwarded headers in your application if its sitting behind a load balancer / proxy. Without it you will end up with never ending loops between the identity server and your application. Secondly if you are running multiple servers behind a balancer, each server wil have its own encryption key for encrypting and decrypting the cookies stored in the header. So you will most certainly end up with authentication problems in this case. To bypass the issue use DataProtectKeys... A quick google will show you some different ways to do this using network folders, databases, azure, etc... basically this allows your application to override the default encryption key being used by you application and to use a key stored somewhere. each application will access the same resource to obtain the key and therefore can read and write cookies the same way. Good luck...
CShelton11
on 22 Nov 2019
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 10 Jan 2020
Related issues
mackie1001
路
3Comments
brockallen
路
3Comments
ekarlso
路
3Comments
Aravind1729
路
3Comments
osudude
路
3Comments
Most helpful comment
Hi @leastprivilege I finally had time to set up a test environment to simulate the problem, I might also need advice if this a correct security solution. Furthermore I read the docs you liked, but I don't really understand if they apply to IIS too and/or to my case.
I have a IIS web server with APIs inside my company LAN, APIs are developed in .NET Core.
I have a IIS web server with a web portal inside my company LAN developed in .NET Core and it consumes the above APIs.
I also have iOS and Android apps that consume APIs.
We use a wildcard SSL certificate to secure data transmission (even inside our LAN).
Both API and the web portal must be published outside on the internet because clients must be able to reach the web portal or directly the APIs depending on what they need to do.
Now I wanted to place a Reverse Proxy on a external branch (or DMZ) of the company main firewall and I was doing it using IIS with the Rewrite module. Obviously I have an internal DNS and public DNS to solve names of the APIs and web portal.
My first question is: IIS Reverse Proxy (external) -> [ (Identity Server 4) IIS again -> Kestrel (internal)] is it a good solution or do you know other cleaner way to get security in my scenario?
When I try this configuration I experience problems when I try to authenticate on the Identity Server from the internet, and no problems when I use everything from the LAN (because in this case I do not use the external Reverse Proxy) so I'm sure they are related to header forwarding as you pointed out. Do you think that using UseForwardedHeaders is going to solve the problem in my environment? Do you suggest other solutions?
Thank you for your patience and time,
Nicola.