Identityserver4: Authentication redirects to plain HTTP signin-oidc callback

Created on 5 Jul 2017 · 6Comments · Source: IdentityServer/IdentityServer4

I am currently running a setup where I am hosting my IdentityServer application on Azure, and the rest of my infrastructure on Docker. HTTPS is provided through a reverse proxy.

When I land on my application via HTTPS, it correctly redirects to identity server over HTTP. The user then provides their credentials, after which IdentityServer redirects it back to my application over plain HTTP.

I'm currently not exposing my application over plain HTTP, and if at all possible, prefer not to expose it over HTTP at all.

My question is, why does IdentityServer use plain HTTP for the callback, and is it possible to change this behaviour through an option I'm missing?

I've tried only providing a HTTPS address for the callback, but that results in an error unfortunately.

Thanks for your time!

question

Source

aevitas

Most helpful comment

I had a similar problem (docker and reverse proxy) and fixed it with the following code in startup before app.UseIdentityServer():

c# app.Use(async (context, next) => { context.Request.Scheme = "https"; await next.Invoke(); });

Aniel on 5 Jul 2017

👍3

All 6 comments

I had a similar problem (docker and reverse proxy) and fixed it with the following code in startup before app.UseIdentityServer():

c# app.Use(async (context, next) => { context.Request.Scheme = "https"; await next.Invoke(); });

Aniel on 5 Jul 2017

👍3

IdentityServer passes back the protocol it received.

Sounds like your app is running http with a reverse proxy terminating SSL and then forwarding http. Therefore, it is issuing the callback-redirect-url using http.

You should map a X-FORWARDED-PROTO to the request protocol. Kestrel's .useIISIntegration() should do that, if that applies. Otherwise, in your Startup.cs, configure:

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            });

sei-jmattson on 5 Jul 2017

👍1

Yep - that's how ASP.NET Core works.

leastprivilege on 10 Jul 2017

Thank you guys for the assist - I managed to get it working with the above snippets, and learned something about how ASP.NET Core works.

aevitas on 11 Jul 2017

👍1

Hi,

I'm using ASP.Net Core 2.1 and IdentityServer4 and having the same issue after the login is authorized. The callback page http://test.ems.net/signin-oidc return an empty page with error 404.

Request header:
Host: test.ems.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1612 Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8PB7g-EnrphIjAiOy7MzaJT90TnYvMl8F3mLCAK-uAWfUxRnfSVSWG2sDaIcCfgJQLXBLLVVO22vKddmZSUSdxBp6VU6X4pPDd2bhEIgzkSHxWso0GY3aOcp0rjsCPxZKxEydGGntQKHVN-wytrNSv-QShwJAY-BPJoPY4pus0SHnU8TMdQLtiirSTZjEWFzXKgCjUSVQt7Pvx1k8l5GPcFb0Dk36IPyw0qeJmWGoeBgPZO2lv2BRLkOu-7PRqKjvfvjGp1vKaB9Q62Piy91lDo=N; .AspNetCore.Correlation.oidc.tP5mvB60KVsX6jwQuxbCGABLvSsRXBMy9QAxLnbAAEM=N; .AspNetCore.OpenIdConnect.Nonce.CfDJ8PB7g-EnrphIjAiOy7MzaJSfkdcOdrFRm6NuakDdc6pjqsAHFV30sINZ1Ab2tDHWMX8D-tk8T3oxjEl1IVggERxFSz3MKpoTq7c1-FS5_cPZdJbHMAeSmHPNB0_9vAXRPPQfyCFLQMS-5hv1b5Cj_ayqx2KV2G-Xk6ogUjYcdLnGKptTzCF0CBfoGRvQiaTV5a0A30mpIo2abvvoP1K9J6zV7poWBUdoheW9--EBC189NwRx1ip3vaUGqSO0YsXvjxxu7dhCxKHYG-f5Ss9KkzE=N; .AspNetCore.Correlation.oidc.byOSCm3Z18EOYK2g3Ty4Cb7bjOW2YiCZNM7aazhzmuE=N; .AspNetCore.OpenIdConnect.Nonce.CfDJ8PB7g-EnrphIjAiOy7MzaJQddbLcPdIXdzDQNI7jG10PHt1Acnnp2HnrNmqbIBpza-3r83M7W2Q_ambQH6uKw_uyy0jI7R7Nf3B6qARkoBqYU_BxOoaW6uUIjGoxwTrttdvQaW9fvwFcxIvKKKXIr7tbEHY8M3Fglsw__ST0R4d28r1wK6_7xh2yGuhOhYClmnD4aNpXQuyEfVDndN9doS4tk_aLMUUXTRhpSNDq4mX1Sz64nI79tBjKzmiLkqTyy4_zIMkIt2ur-nG4wgt9tno=N; .AspNetCore.Correlation.oidc.BUVGAC2UC7mkbV6_OtVSda9DmH6FAh9h03-Xua_cqIc=N DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

Response Header:
HTTP/1.1 404 Not Found Server: Kestrel X-Powered-By: ASP.NET Date: Thu, 04 Oct 2018 12:36:00 GMT Content-Length: 0

FireFox error message:
The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature.

My log text:
`2018-10-04 08:46:43.219 : Information => 0 - Authorize endpoint response
{
"SubjectId": "1",
"ClientId": "EMS_WebApp",
"RedirectUri": "http://test.ems.net/signin-oidc",
"State": "CfDJ8PB7g-EnrphIjAiOy7MzaJRb1lkrRjfrD1i-DStJUMXu5YvWwiShBuvPXcvjnN6k1LmEOiH42GZly75kf5ADbba6B1WFnHOynLTV5nlMRwfnRFPGW_t6MFH9YJvriIwzrubgTQZRD1vYzmiciK60dlzg6fyhyXGH--TtoxuC6b2y3AUMTXJ4ru7RnS2ggodAUWO6vzvsH-wGIlB19uZUHkRXAz3RTsksCtYg91fnA7UG6d1SVy0p-akpDEnJOsHTqFN2qu3UWHZ4GX6T5QlFuqgBl4HpvlHCfvXp1U_p04217E1QF10AI_7B7OdDSNUFlg",
"Scope": "openid profile"
} - *

2018-10-04 08:46:43.22 : Debug => 0 - Augmenting SignInContext - *

2018-10-04 08:46:43.22 : Information => 10 - AuthenticationScheme: idsrv signed in. - *

2018-10-04 08:46:43.22 : Information => 2 - Request finished in 8.1483ms 200 text/html; charset=UTF-8 - *

2018-10-04 08:46:43.586 : Information => 1 - Request starting HTTP/1.1 POST http://test.ems.net/signin-oidc application/x-www-form-urlencoded 1612 - *

2018-10-04 08:46:43.586 : Information => 2 - Request finished in 0.5654ms 404 - *

2018-10-04 08:46:43.586 : Information => 32 - Connection id "0HLH9UN00CBF8", Request id "0HLH9UN00CBF8:00000002": the application completed without reading the entire request body. - *
`

The same application, IdentityServer and Clients works perfectly in my LocalHost, after publishing to Windows Server 2012 R2 and ISS 8.5, the issue happens after the login.

Please help.

Regards.