Authentication redirects to plain HTTP signin-oidc callback

[aevitas]

I am currently running a setup where I am hosting my IdentityServer application on Azure, and the rest of my infrastructure on Docker. HTTPS is provided through a reverse proxy.

When I land on my application via HTTPS, it correctly redirects to identity server over HTTP. The user then provides their credentials, after which IdentityServer redirects it back to my application over plain HTTP.

I'm currently not exposing my application over plain HTTP, and if at all possible, prefer not to expose it over HTTP at all.

My question is, why does IdentityServer use plain HTTP for the callback, and is it possible to change this behaviour through an option I'm missing?

I've tried only providing a HTTPS address for the callback, but that results in an error unfortunately.

Thanks for your time!

[Aniel]

I had a similar problem (docker and reverse proxy) and fixed it with the following code in startup before app.UseIdentityServer():

app.Use(async (context, next) =>
{
   context.Request.Scheme = "https";
   await next.Invoke();
});

[sei-jmattson]

IdentityServer passes back the protocol it received.

Sounds like your app is running http with a reverse proxy terminating SSL and then forwarding http. Therefore, it is issuing the callback-redirect-url using http.

You should map a X-FORWARDED-PROTO to the request protocol. Kestrel's .useIISIntegration() should do that, if that applies. Otherwise, in your Startup.cs, configure:

app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
            });

[leastprivilege]

Yep - that's how ASP.NET Core works.

[aevitas]

Thank you guys for the assist - I managed to get it working with the above snippets, and learned something about how ASP.NET Core works.

[wgutierrezr]

Hi,

I'm using ASP.Net Core 2.1 and IdentityServer4 and having the same issue after the login is authorized. The callback page http://test.ems.net/signin-oidc return an empty page with error 404.

Request header:
Host: test.ems.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1612 Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8PB7g-EnrphIjAiOy7MzaJT90TnYvMl8F3mLCAK-uAWfUxRnfSVSWG2sDaIcCfgJQLXBLLVVO22vKddmZSUSdxBp6VU6X4pPDd2bhEIgzkSHxWso0GY3aOcp0rjsCPxZKxEydGGntQKHVN-wytrNSv-QShwJAY-BPJoPY4pus0SHnU8TMdQLtiirSTZjEWFzXKgCjUSVQt7Pvx1k8l5GPcFb0Dk36IPyw0qeJmWGoeBgPZO2lv2BRLkOu-7PRqKjvfvjGp1vKaB9Q62Piy91lDo=N; .AspNetCore.Correlation.oidc.tP5mvB60KVsX6jwQuxbCGABLvSsRXBMy9QAxLnbAAEM=N; .AspNetCore.OpenIdConnect.Nonce.CfDJ8PB7g-EnrphIjAiOy7MzaJSfkdcOdrFRm6NuakDdc6pjqsAHFV30sINZ1Ab2tDHWMX8D-tk8T3oxjEl1IVggERxFSz3MKpoTq7c1-FS5_cPZdJbHMAeSmHPNB0_9vAXRPPQfyCFLQMS-5hv1b5Cj_ayqx2KV2G-Xk6ogUjYcdLnGKptTzCF0CBfoGRvQiaTV5a0A30mpIo2abvvoP1K9J6zV7poWBUdoheW9--EBC189NwRx1ip3vaUGqSO0YsXvjxxu7dhCxKHYG-f5Ss9KkzE=N; .AspNetCore.Correlation.oidc.byOSCm3Z18EOYK2g3Ty4Cb7bjOW2YiCZNM7aazhzmuE=N; .AspNetCore.OpenIdConnect.Nonce.CfDJ8PB7g-EnrphIjAiOy7MzaJQddbLcPdIXdzDQNI7jG10PHt1Acnnp2HnrNmqbIBpza-3r83M7W2Q_ambQH6uKw_uyy0jI7R7Nf3B6qARkoBqYU_BxOoaW6uUIjGoxwTrttdvQaW9fvwFcxIvKKKXIr7tbEHY8M3Fglsw__ST0R4d28r1wK6_7xh2yGuhOhYClmnD4aNpXQuyEfVDndN9doS4tk_aLMUUXTRhpSNDq4mX1Sz64nI79tBjKzmiLkqTyy4_zIMkIt2ur-nG4wgt9tno=N; .AspNetCore.Correlation.oidc.BUVGAC2UC7mkbV6_OtVSda9DmH6FAh9h03-Xua_cqIc=N DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

Response Header:
HTTP/1.1 404 Not Found Server: Kestrel X-Powered-By: ASP.NET Date: Thu, 04 Oct 2018 12:36:00 GMT Content-Length: 0

FireFox error message:
The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature.

My log text:
`2018-10-04 08:46:43.219 : Information => 0 - Authorize endpoint response
{
"SubjectId": "1",
"ClientId": "EMS_WebApp",
"RedirectUri": "http://test.ems.net/signin-oidc",
"State": "CfDJ8PB7g-EnrphIjAiOy7MzaJRb1lkrRjfrD1i-DStJUMXu5YvWwiShBuvPXcvjnN6k1LmEOiH42GZly75kf5ADbba6B1WFnHOynLTV5nlMRwfnRFPGW_t6MFH9YJvriIwzrubgTQZRD1vYzmiciK60dlzg6fyhyXGH--TtoxuC6b2y3AUMTXJ4ru7RnS2ggodAUWO6vzvsH-wGIlB19uZUHkRXAz3RTsksCtYg91fnA7UG6d1SVy0p-akpDEnJOsHTqFN2qu3UWHZ4GX6T5QlFuqgBl4HpvlHCfvXp1U_p04217E1QF10AI_7B7OdDSNUFlg",
"Scope": "openid profile"
} - *

2018-10-04 08:46:43.22 : Debug => 0 - Augmenting SignInContext - *

2018-10-04 08:46:43.22 : Information => 10 - AuthenticationScheme: idsrv signed in. - *

2018-10-04 08:46:43.22 : Information => 2 - Request finished in 8.1483ms 200 text/html; charset=UTF-8 - *

2018-10-04 08:46:43.586 : Information => 1 - Request starting HTTP/1.1 POST http://test.ems.net/signin-oidc application/x-www-form-urlencoded 1612 - *

2018-10-04 08:46:43.586 : Information => 2 - Request finished in 0.5654ms 404 - *

2018-10-04 08:46:43.586 : Information => 32 - Connection id "0HLH9UN00CBF8", Request id "0HLH9UN00CBF8:00000002": the application completed without reading the entire request body. - *
`

The same application, IdentityServer and Clients works perfectly in my LocalHost, after publishing to Windows Server 2012 R2 and ISS 8.5, the issue happens after the login.

Please help.

Regards.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.