ASP.NET OAuth having issues with URL Rewrite

Question

My production setup is as follows:

• M1 – ASP.NET Website
• M2 - IIS URL Rewrite 2.0 + ARR 3.0

Using IIS URL Rewrite, any request to M2, say http://m2/app/login.aspx will be redirected to M1 as http://m1/app/login.aspx.

On M1, ASP.NET Open Auth has been implemented on the website to use Google external authentication. When user clicks the Google button, the browser will be redirected to the Google login page to allow the user to authenticate.

But when the website is accessed from M2, the redirection url generated by .net oAuth(https://accounts.google.com/[query-string]) to redirect to Google, is being replaced by URL Rewrite as http://m2/[query-string].

So just to be clear; when the request is made to authenticate via an external authentication provider a 302 redirect is returned. Often the form of this may look like:

Response Headers:

...

Location: https://accounts.google.com/o/oauth2/auth?big_long_query_string

...

This redirect is created by a server (M1) that sits behind the proxy server (M2 - IIS URL Rewrite 2.0 + ARR 3.0). So the rewrite server rewrites the Location header to:

Response Headers:

...

Location: http://M1/o/oauth2/auth?big_long_query_string

...

What we need is a rule that does not rewrite the location URL on redirection. It can only target certain redirects as well. Most of the time the behaviour mentioned here is wanted as all redirects are redirected to the main proxy server. Can someone suggest a solution or workaround for certain redirects?

Answer 1

Check out Application Request Routing settings under IIS > [SERVER] > Application Request Routing and on Actions side bar Server Proxy Settings > for Reverse rewrite host in response headers. For the behavior you desire, uncheck the checkbox. That's is a server level setting, use responsibly.

You can also edit %WinDir%\System32\Inetsrv\Config\applicationHost.config. Basically insert/update the following line in the file between <system.webServer> tags.

<proxy enabled="true" reverseRewriteHostInResponseHeaders="false" />

I would assume this setting to be available per site too, but my attempts on web.config files for proxy settings didn't confirm that.

Answer 2

I was able to solve the same issue with an outbound rule in IIS. So You have to create an outbound rule in IIS in URL rewrite module to modify the location header. You have to check for the 302 status header as a condition and provide match URL and action URL for Location header. Below is the steps from referred article.

Modifying Location Header with IIS URL Rewrite

1. Go to the URL Rewrite feature for your site and click Add Rule(s)…
2. Select from the Precondition drop-down.
3. Click Add in the dialog that appears
4. Enter {RESPONSE_STATUS} in the Condition input field and 3[0-9][0-9] in the pattern field.
5. Click OK.
6. Select Server Variable from the Matching scope drop-down.
7. Enter RESPONSE_Location as the Variable name.
8. In the Pattern field enter a regex to match the URLs your backend system is producing (e.g. http://local/page)
9. In the Action Value box enter the correct URL (e.g. http://example.com/page)
10. Click Apply and your done!

Reference: Handling 301 and 302 redirects with IIS 7 URL Rewrite