ASP.NET Core passing HTTP (not HTTPS) redirect URL in OAuth challenge when hosted in Linux container [duplicate]

Question

I have an implementation of Identity Server 4 which offers an option to sign in with Google. The app is registered with Google's developer console and has worked for some time when hosted on a Windows VM.

I've recently containerised this application and deployed it to a Linux container hosted as an Azure app service. I haven't changed any of the app code. The Azure app service is configured to serve HTTPS only, and I've verified the traffic is strictly secured with SSL certificates both between client browsers and Cloudflare (my DNS provider) and between Cloudflare and origin.

Here's what the Google OAuth button looks like. You can see it's a valid SSL connection:

Here's the code which registers this OAuth provider:

        services.AddAuthentication()
            .AddGoogle("Google", options =>
            {
                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                options.ClientId = _externalAuthConfig.Google.ClientId;
                options.ClientSecret = _externalAuthConfig.Google.ClientSecret;
            });

I've confirmed the client and secret are valid. Here's the code executed when the button is clicked. You see this is all standard stuff.

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
[Route("challenge")]
public IActionResult ExternalLogin(
    [FromForm] string provider, 
    [FromQuery] string returnUrl = null)
{
    // Request a redirect to the external login provider.
    var redirectUrl = Url.Action(nameof(ExternalLoginCallback), new { returnUrl });
    var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    return Challenge(properties, provider);
}

However, in this containerized world, when the browser is redirected to Google, this is what I see:

Notice the http:// in the redirect URL. Obviously the error is occurring because I only registered the HTTPS redirect URL. The same code running on a Windows VM correctly passes an HTTPS redirect URL in the querystring. I have no idea why this unsecure URL is being used in this containerised environment. The only difference as far as I can tell is the hosting infrastructure.

In case it's important, this new site uses the built-in Kestrel web server, whereas the old Windows version used IIS in front.

Anyone have any idea? I'm stumped!

Answer 1

Typical, I found the solution in the answer from @FerronSW on this SO question 30 minutes after posting my question.

The solution is to add the following code to your Startup:

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
      ForwardedHeaders = ForwardedHeaders.XForwardedProto
});

Tested and works.