Set OpenID Connect CallbackPath to HTTPS

Question

I have a .Net Core 3.1 application that is hosted in AWS behind an https load balancer. To the outside world it is an https site, but to AWS internally it runs on http behind the balancer.

Because of this the OpenID Connect middleware is redirecting to the HTTP path instead of HTTPS.

Is there anyway to force OpenId Connect to use https pathing?

.AddOpenIdConnect("oidc", options =>
{
    var oauthConfig = Configuration.GetSection("OAuthConfiguration").Get<OAuthConfiguration>();

    options.Authority = oauthConfig.Authority;
    options.ClientId = oauthConfig.ClientId;
    options.ClientSecret = oauthConfig.ClientSecret;
    options.ResponseType = "code";
    options.GetClaimsFromUserInfoEndpoint = true;
    options.SaveTokens = true;
    options.CallbackPath = "/signin-oidc";

When the authorization request is made this generates this redirect uri

"RedirectUri": "http://demo.mysite.com/signin-oidc"

I cannot hardcore a path into the CallbackPath because my application runs multitenancy and the URL is different depending upon routing.

Answer 1

You can force the provider to rewrite your callback url in https like this

option.Events = new OpenIdConnectEvents()
            {
                OnRedirectToIdentityProvider = context =>
                {
                    var builder = new UriBuilder(context.ProtocolMessage.RedirectUri);
                    builder.Scheme = "https";
                    builder.Port = -1;
                    context.ProtocolMessage.RedirectUri = builder.ToString();
                    return Task.FromResult(0);
                }
}

Answer 2

The redirect URI should be an HTTPS value:

• Login response returned to https://web.mycompany.com/myapp?code=a0wfd78
• Load balancer routes the response to http://server1/myapp?code=a0wfd78

In terms of multitenancy I would try to avoid interfering with the Open Id Connect login process and instead use the same callback path for all users. That is the standard behaviour, and using things like wildcards in redirect URIs can create security vulnerabilities.

Not sure I fully understand understand your requirements related to multitenancy, so if this doesn't work for you, please post some further details on how you want it to work.

.Net Core has events you can override, such as this one, if the redirect URI needs to be calculated at runtime:

options.Events.OnRedirectToIdentityProvider = (context) =>
{
    context.ProtocolMessage.RedirectUri = <load balanced value>;
    await Task.FromResult(0);
}