Menu
I have an Asp .net core MVC app. Which connects to an Identity Server 4 for authentication. Hosted in a docker swarm
MVC app is hosted on https://XXXXXXX
ConfigurServies
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
//options.DataProtectionProvider = DataProtectionProvider.Create(new DirectoryInfo(@"C:\temp-keys\"));
// when the identity has been created from the data we receive,
// persist it with this authentication scheme, hence in a cookie
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// Identity server endpoint
options.Authority = settingsSetup.IdentityServerEndpoint;
// Client id to login with
options.ClientId = settingsSetup.ClientId;
// Client secret.
options.ClientSecret = settingsSetup.Secret;
// Scope of our API
options.Scope.Add("testapi");
options.Scope.Add("devconsole");
// adding offline_access to get a refresh token
options.Scope.Add("offline_access");
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
});
When I try to run the app I get a redirect uri miss match error.
Invalid redirect_uri: http://developerconsole.XXXXX.io/signin-oidc
{
"ClientId": "BB1D2DA8-D7E4-4AF5-94FA-19EAD6B7D711.apps.XXXXX.biz",
"ClientName": "Developer Console",
"AllowedRedirectUris": [
"http://localhost:55000/signin-oidc",
"http://localhost:55000/auth.html",
"http://localhost:55000/auth-silent.html"
"https://developerconsole.XXXXX.io/signin-oidc"
],
"SubjectId": "21379983",
"RequestedScopes": "",
"Raw": {
"client_id": "BB1D2DA8-D7E4-4AF5-94FA-19EAD6B7D711.apps.XXXXX.biz",
"redirect_uri": "http://developerconsole.XXXXX.io/signin-oidc",
"response_type": "code id_token",
"scope": "openid profile testapi devconsole offline_access",
"response_mode": "form_post",
"nonce": "636625889658410682.MjNlMmQwNjgtZmY0MC00MmVkLWFiNmMtN2M2YmQ5YTM5ZTQ3NjFiYzI2ZjktZWM0Yi00NDk3LTk1ZWMtNjJkYjViMDYwMTJm",
"state": "CfDJ8Pwa8A3ipXlKtuyxNMpMxAz5QUFmdSunRKdlKS9sS390AKp8gIUZShQUMMCkFAhYLytitgsXUBgwlQDJaJvtHFqzHygLCPwS8Jab6IJzhpry90qS51E1y_eRlppamRDOzYDZ6fcDFzWV1U43BTP2B6pnPTSLNcZRaooyGBXtNokeUqOJ--u-_MOQB8Bw3n2cRyV4kisHNkslD1Gsi2wn1Cx6aTVlqzw_pxHelAXm1P8FyDJpD7G0azFgKgpQF0DRJtC5penRJQzHIHvQN8v4ECGeuSD1zlyfJYClLO2r6kY_R2OYqtBkV0r_SNc9h7xUYmnVaHKQzYqVc_mJO4iLLSMTZrBUICZWR8c4PZw0Os3N",
"x-client-SKU": "ID_NET",
"x-client-ver": "2.1.4.0"
}
}
The error is coming because i have "https://developerconsole.XXXXX.io/signin-oidc" as a redirect uri and not "http://developerconsole.XXXXX.io/signin-oidc" I dont want to add HTTP redirect uris.
Why is my app building the redirect uri has http and not https?
If i do add the HTTP on i am getting an annoying Correlation error. which i think is due to the fact that its being returned by the server as https since the server automatically converts http to https.
An unhandled exception occurred while processing the request. Exception: Correlation failed. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()
Stack Query Cookies Headers Exception: Correlation failed. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext() System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()
I probably dont need to mention this works fine on localhost :/
666
http URI schemes are acceptable because the redirect never leaves the device. As such, both of these URIs are acceptable: http://localhost/myApp. https://localhost/myApp.
Redirect URLs are a critical part of the OAuth flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application.
Your redirect URI will typically have the format https://engage-app name.rpxnow.com/facebook/callback. For example, if your Engage app has the name my--test-app, your redirect URI would be https://my-test-app.rpxnow.com/facebook/callback. Show activity on this post.
A redirect URI, or reply URL, is the location that the authorization server will send the user to once the app has been successfully authorized, and granted an authorization code or access token.
an HTTPS request is exactly an HTTP request but transmitted over a secure (TLS/SSL) connection The web server encrypts the HTTP response and sends it to the client’s browser. Now when a redirect happens, we still go through the first two steps. However, the server will respond with the redirect code and location over a secure connection.
Redirect URIs must begin with the scheme https. There are some exceptions for localhost redirect URIs. Redirect URIs are case-sensitive and must match the case of the URL path of your running application. For example, if your application includes as part of its path .../abc/response-oidc, do not specify .../ABC/response-oidc in the redirect URI.
To add redirect URIs with an HTTP scheme to app registrations that sign in work or school accounts, use the application manifest editor in App registrations in the Azure portal. However, though it's possible to set an HTTP-based redirect URI by using the manifest editor, we strongly recommend that you use the HTTPS scheme for your redirect URIs.
The solution was quite simple. By setting UseForwardedHeaders it now sends all the requests as HTTPS.
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
Correlation failed.
is now fixed and i no longer need to have a http and https redirect uris.
161
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With