New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The redirect URI always uses HTTP instead of HTTPS #75
Comments
Thanks for reporting. This hasnt come up as an issue before. And I believe our SDK does nothing specific with the redirect Uri that would cause this. That would allow us to help investigate what is causing this. |
I've tried to deploy to Heroku your sample app, but somehow it cannot start. From Heroku's logs, I get this:
Then the app goes to "crashed" status. This might be because I've deployed it on a free dyno, which may have lower specs. If you wish to take a look at a minimal repro, which I refererred to in my initial post, I've uploaded it here: (https://github.com/savissimo/test-auth0-aspnetcore). If you want to see it in action, I'll re-deploy it on Heroku (currently it's serving your sample app). |
Can you elaborate what heroku has to do with any of this? You should be able to try the sample I shared locally. |
Sorry that I was not clear before. I have no issue when using |
Can you reproduce the behavior locally with HSRS and HTTPS redirection? |
No, I cannot. The redirect URI is always HTTPS in local, if I login from Note that I've found a workaround, so this issue is not blocking me now, but I'd much rather come to a better understanding of what causes it. The workaround is, of course, "forcing" the |
I don't think our SDK does much with the redirect uri, other than passing it to the OIDC middleware, I think we should be looking at Microsoft's middleware and why it's not able to detect
In |
Thank you @frederikprijck, I'll try to find that out as soon as I have the time to add logs and deploy. |
Ok, I've recovered the code (it was on a different pc) and I've uploaded it to Heroku. This is what I got (notice the two It looks like the server is not detecting the Scheme correctly. This happens even before being redirected to OIDC, and I "fixed" that by rewriting the redirect URL. However, even if the redirect goes to I'll try to research into that. Do you have any idea why the |
I think this could be related to how HSTS and HTTPS Redirection is set up. I am not too familiar with it in the sense that I can be very helpful, but looks like unrelated to our SDK. |
Closing as I don't think there is anything we can do. |
Usually in cloud infra, you'd have a LB in front of the spring-boot-app. The traffic from browser to this LB will be HTTPS, but the traffic from this LB to your spring-boot-app will be http, thats why scheme detections is http. There are configurations in application.properties you can add to apply LB's headers. I think its called |
I think we're hitting this issue as well. We are running in a container as http, but the public endpoint is https. We're forwarding the |
Describe the problem
The redirect URI always uses HTTP instead of HTTPS. As a consequence, the login page fails to load, since the redirect URI is not among the allowed ones.
What was the expected behavior?
The redirect URI follows the scheme of the URL of the document the request came from, or it should be possible to specify the scheme. per request.
Reproduction
localhost
./account/profile
(not linked in the page) to request a page that needs authorizations.redirect_uri
field causes the issue.Environment
Auth0.AspNetCore.Authentication
version 1.0.3The text was updated successfully, but these errors were encountered: