Identityserver4: When deploying behind a reverse proxy, can a service avoid using the issued URLS?
I'm deploying IS4 along with a client application in Kubernetes. As with most K8s deployments, the internal services communicate via http, and internal service names.
When the client application calls the authority (http://identityserver.publicdomain.com/identity/.well-known/openid-configuration), the first call to the http succeeds thanks to a URL rewrite rule which maps "identityserver.publicdomain.com" to "identityserver-internal-service". When the client application retrieves the config, it appears to make subsequent calls to the https endpoint defined .well-known/openid-configuration. Is there some way to prevent the local service using the public URLs defined in .well-known/openid-configuration?
Relevant Client Setup:
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = "http://identityserver.publicdomain.com/identity";
options.RequireHttpsMetadata = false;
});
Relevant Server Setup:
services.AddIdentityServer
(options => {
options.PublicOrigin = "https://identityserver.publicdomain.com";
options.IssuerUri = "https://identityserver.publicdomain.com";
})
Is there support for the user to visit the https endpoint "https://identityserver.publicdomain.com" and the internal services to visit the http endpoint "http://identityserver-internal-service"?
a-vishar
All 12 comments
As with most K8s deployments
This has been discussed many times already. This is not how OpenID Connect works. The DNS name is the identity of the OIDC provider.
leastprivilege
on 27 Aug 2019
@leastprivilege - I read (I thought) all of the "issues" relating to this subject and was unable to find the information I was looking for, that is likely my fault, please feel free to link me to a relevant issue and I will continue reading :)
It seems as though you are saying that the client application must use the publicly accessible URL that the user will ultimately use, is that correct?
a-vishar
on 27 Aug 2019
yes - all parties must use the same DNS name.
leastprivilege
on 27 Aug 2019
Thank you for the clarification!
a-vishar
on 27 Aug 2019
@leastprivilege - Thinking about this a little more, the URL rewrite works the same as the DNS being the same. The primary issue is that I would like the internal service to use HTTP, and public users to use HTTPS, is this a supported scenario?
a-vishar
on 28 Aug 2019
that would still result in a different issuer URI.
Have you tried setting the issuer name manually?
leastprivilege
on 28 Aug 2019
I did try setting it manually.
When Authority=https & IssuerUri=http, the client application attempts to get openid-configuration via https.
When Authority=http & IssuerUri=https, the user is redirected to the authorize endpoint via http.
a-vishar
on 28 Aug 2019
All set, can we close?
brockallen
on 6 Sep 2019
If you're closing saying not supported, sure :) No resolution was reached, which I'm happy enough with, just want to ensure we're documenting it properly for others who face the same issue!
a-vishar
on 9 Sep 2019
I got the same problem
@a-vishar , @brockallen - is there any working solution for it?
Farzad-Jalali
on 19 Sep 2019
So this is still open. Was there a conclusion? Besides you have to use a correct DNS setup?
leastprivilege
on 9 Oct 2019
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 10 Jan 2020
Related issues
osudude
路
3Comments
Aravind1729
路
3Comments
wangkanai
路
3Comments
chrisrestall
路
3Comments
agilenut
路
3Comments