Identityserver4: Discovery URLs are not HTTPs

This probably means you are behind a reverse proxy.

https://identityserver4.readthedocs.io/en/release/topics/deployment.html

I resolved this with the following added to Startup.cs:

var forwardOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
    RequireHeaderSymmetry = false
};

forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();

// ref: https://github.com/aspnet/Docs/issues/2384
app.UseForwardedHeaders(forwardOptions);

Ref:

• https://github.com/aspnet/Docs/issues/2384
• https://github.com/aspnet/BasicMiddleware/pull/226

Note that RequireHeaderSymmetry must be false in for this to work in an Azure web app environment.

I got the same problem but the described solution doesn't help. has anything changed?

I use .net core 1.1.2 and IdentityServer 1.5.2

@kspearrin solution worked for me on aspnet core version 2.0.5, this alone ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto does not work by itself, it needs the other options like the RequireHeaderSymmetry = false

I also am running on azure app services for linux with containers.

Seem to have the same problem on Kubernetes with .NET Core 2.1.
The solutions here did not help. I had to bundle my own cert and make Kestrel listen with HTTPS, instead of relying on the Kubernetes to handle the certificate for me.

This solution worked for me (.Net Core 2.2)

we had same issue on Kubernets (actually eks on aws) after much struggle got this working by adding below in Startup Configure

var forwardOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
// RequireHeaderSymmetry seems to be false default in 2.1

Also make sure to limit the networks that can forward headers for security by adding a network with a mask as-in - this would typically be network IPv6 as

options.KnownNetworks.Add(new IPNetwork(xxxx));

app.UseForwardedHeaders(options);

Hello. We are experiencing this issue of the metadata service returning non HTTPs endpoints on NLB based setup. We already tried the recommendations above on resolving this but it did not solve it. Any help would be appreciated.

the above recommendations worked for me, after editing my nginx config to allow for forwarding of headers

server {
    server_name  somename.com;

    location / {
        proxy_pass         http://localhost:5000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; #  _had to include this line_ 
        proxy_set_header   X-Forwarded-Proto $scheme; # _also included this line_
    }
} 

I've tried adding that code to my Startup.cs, and set up our load balancer to forward the headers. Is there some other configuration that is needed in IIS, or Windows to retrieve get the forward-for headers?

I've tried adding that code to my Startup.cs, and set up our load balancer to forward the headers. Is there some other configuration that is needed in IIS, or Windows to retrieve get the forward-for headers?

The order that the middlewares are added matters. I had to put the app.UseForwardedHeaders(options); call before the UseIdentityServer call. I ended up putthg the UseForwaredeHeaders as the first thing in my configure method.

https://github.com/IdentityServer/IdentityServer4/issues/324#issuecomment-446099722

The only thing that worked for us is when I added the following line of code to the identity server options:

services.AddIdentityServer(options => {
.... (other lines omitted)
options.PublicOrigin = "YOUR IDENTITY/AUTHORITY URL";
})

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.