Identityserver4: Consider updating samples to HTTPS

Created on 19 Feb 2019 · 9Comments · Source: IdentityServer/IdentityServer4

Is your feature request related to a problem? Please describe.
Consider updating sample projects to run on HTTPS ports rather than HTTP this will of course mean that the config files will need to be updated config.cs

Describe the solution you'd like

When you create a new web project they have https enabled (VS 2017) I believe this is default and standard.

Additional context
IMO it would be nice if these samples followed industry standards and used HTTPS. Even though they are just sample projects.

feature request

Source

LindaLawton

👍1

Most helpful comment

>
>

That being said - HTTPS is not really relevant for localhost - and is even in the way for tools like Fiddler and Wireshark.

I would submit that users with advanced enough needs to use Fiddler or Wireshark are the kinds of users that would have no trouble setting up a working endpoint for debugging.

Anything thats in a sample project will probably end up in production.

I agree completely. I suspect the vast majority of people just want to setup a quick token service they can hookup to their api and be off to the races. This seems to me the best reason to make the switch.

fuzzzerd on 22 Feb 2019

👍2

All 9 comments

How does HTTPS make localhost better?

leastprivilege on 20 Feb 2019

That being said - we could move the host to https to avoid the pesky RequireHttpsMetadata everywhere.. @brockallen

leastprivilege on 20 Feb 2019

Just some background:

When we started with IdentityServer - we wanted to do everything "right" and made all hosts and samples run on HTTPS. Our issue tracker was full of issues where people could not get it to work on their machines. In every workshop the better half of the first labs had to deal with how to setup HTTPS properly on all kinds of (corporate) laptops. So at some point we gave up.

We gave that feedback to Microsoft and told them that they should try and make all their templates run on HTTPS by default, just to experience the pain. It turns out they did - and what we have today in 2.2 seems to work (at least on my machine). So we could re-visit this.

That being said - HTTPS is not really relevant for localhost - and is even in the way for tools like Fiddler and Wireshark. So yea - undecided.

leastprivilege on 20 Feb 2019

So yea - undecided.

That's why i said consider. Because I am also undecided. For the exact reasons you mentioned.

I do think that making new projects HTTPS isn't as hard as it once was and its also good practice IMO to make all projects HTTPS because if you do upgrade it to production one day then you have to deal with changing it after its developed and tested which can result in a whole new set of headaches.

For example: I couldn't run my federated gateway code localhost HTTP because it wasn't supported by the system i was connecting to. I had to go though the trouble of updating it. As my identity server was built based originally on your samples. If it had been running HTTPS localhost i wouldn't have had any issues.

Sometimes its better to start as you wish to continue.

_If its the time i am sure you can think of someone who has been happy to update your samples in the past._

LindaLawton on 20 Feb 2019

While I don't miss the confusion with setting up HTTPS, the amount of people I've found with RequireHttpsMetadata = false in production is scary.

scottbrady91 on 21 Feb 2019

Anything thats in a sample project will probably end up in production.

LindaLawton on 22 Feb 2019

👍2

>
>

That being said - HTTPS is not really relevant for localhost - and is even in the way for tools like Fiddler and Wireshark.

I would submit that users with advanced enough needs to use Fiddler or Wireshark are the kinds of users that would have no trouble setting up a working endpoint for debugging.