Redirect URI sent as HTTP and not HTTPS in app running HTTPS
The solution was quite simple. By setting UseForwardedHeaders it now sends all the requests as HTTPS.
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
Correlation failed.
is now fixed and i no longer need to have a http and https redirect uris.
DaImTo
Google Developer Expert for Google Analytics and Identity platform I have been working with Google APIs since 2012. ⬇️ My Youtube Channel with lots of Google API tutorials ⬇️ 🔔 YouTube Channel: https://www.youtube.com/channel/UCyqzvMN8newXIxyYIkFzPvA Daimto.com https://www.daimto.com I enjoy working with Google's APIs and have experience with Google OAuth2, Google Analytics API, Google+ API, Google Calendar API, YouTube API, BigQuery API and Google Drive SDK. Projects: Contributor Google APIs .Net Client Library, Identity Server 4 Author of the Google-dotnet-sample project on GitHub
Updated on June 12, 2022Comments
-
DaImTo almost 2 years
I have an Asp .net core MVC app. Which connects to an Identity Server 4 for authentication. Hosted in a docker swarm
MVC app is hosted on https://XXXXXXX
ConfigurServies
services.AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme) .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => { //options.DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"C:\temp-keys\")); // when the identity has been created from the data we receive, // persist it with this authentication scheme, hence in a cookie options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Identity server endpoint options.Authority = settingsSetup.IdentityServerEndpoint; // Client id to login with options.ClientId = settingsSetup.ClientId; // Client secret. options.ClientSecret = settingsSetup.Secret; // Scope of our API options.Scope.Add("testapi"); options.Scope.Add("devconsole"); // adding offline_access to get a refresh token options.Scope.Add("offline_access"); options.ResponseType = "code id_token"; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; });
When I try to run the app I get a redirect uri miss match error.
Invalid redirect_uri: http://developerconsole.XXXXX.io/signin-oidc { "ClientId": "BB1D2DA8-D7E4-4AF5-94FA-19EAD6B7D711.apps.XXXXX.biz", "ClientName": "Developer Console", "AllowedRedirectUris": [ "http://localhost:55000/signin-oidc", "http://localhost:55000/auth.html", "http://localhost:55000/auth-silent.html" "https://developerconsole.XXXXX.io/signin-oidc" ], "SubjectId": "21379983", "RequestedScopes": "", "Raw": { "client_id": "BB1D2DA8-D7E4-4AF5-94FA-19EAD6B7D711.apps.XXXXX.biz", "redirect_uri": "http://developerconsole.XXXXX.io/signin-oidc", "response_type": "code id_token", "scope": "openid profile testapi devconsole offline_access", "response_mode": "form_post", "nonce": "636625889658410682.MjNlMmQwNjgtZmY0MC00MmVkLWFiNmMtN2M2YmQ5YTM5ZTQ3NjFiYzI2ZjktZWM0Yi00NDk3LTk1ZWMtNjJkYjViMDYwMTJm", "state": "CfDJ8Pwa8A3ipXlKtuyxNMpMxAz5QUFmdSunRKdlKS9sS390AKp8gIUZShQUMMCkFAhYLytitgsXUBgwlQDJaJvtHFqzHygLCPwS8Jab6IJzhpry90qS51E1y_eRlppamRDOzYDZ6fcDFzWV1U43BTP2B6pnPTSLNcZRaooyGBXtNokeUqOJ--u-_MOQB8Bw3n2cRyV4kisHNkslD1Gsi2wn1Cx6aTVlqzw_pxHelAXm1P8FyDJpD7G0azFgKgpQF0DRJtC5penRJQzHIHvQN8v4ECGeuSD1zlyfJYClLO2r6kY_R2OYqtBkV0r_SNc9h7xUYmnVaHKQzYqVc_mJO4iLLSMTZrBUICZWR8c4PZw0Os3N", "x-client-SKU": "ID_NET", "x-client-ver": "2.1.4.0" } }
The error is coming because i have
"https://developerconsole.XXXXX.io/signin-oidc"
as a redirect uri and not"http://developerconsole.XXXXX.io/signin-oidc"
I dont want to add HTTP redirect uris.Why is my app building the redirect uri has http and not https?
If i do add the HTTP on i am getting an annoying Correlation error. which i think is due to the fact that its being returned by the server as https since the server automatically converts http to https.
An unhandled exception occurred while processing the request. Exception: Correlation failed. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()
Stack Query Cookies Headers Exception: Correlation failed. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()
I probably dont need to mention this works fine on localhost :/
-
Adam almost 6 yearsThis answer only moves the destination from http to https, it doesn't make links render in https.
-
Suketu Bhuta almost 5 yearsIn case the app is being deployed on Linux (say .NET core app on a linux docker container), in addition to setting the Forward headers also had to clear out the
KnownNetworks
andKnownProxies
for making sure the redirect url remained https. See docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… for more details. -
avg_bloke over 4 years@SuketuBhuta That bit of info was really useful
-
Vibhanshu Biswas about 4 yearsWe had to use this solution because, we redirected HTTP to HTTPS in the NGINX conf behind an aws ELB. and it worked like charm for us.
-
David over 3 years@SuketuBhuta how/where/when did you clear out the
KnownNetworks
andKnownProxies
? -
Suketu Bhuta over 3 years@David, see this section of the article I've linked above : docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…, basically you clear after setting the
ForwardingHeader
. Hope this helps. -
Enrico over 2 yearsI had to add both .addForwardedheaders and .useforwardedheaders(). See my answer here: stackoverflow.com/a/68757575/7064454
-
DaImTo over 2 yearshave you tested with .net 6?
-
Kamil over 2 yearsno i didn't updated project yet. When i will, i will also edit this response