Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Setup Identity Server 4 Reverse proxy

Edit: more detailed explanation

We have the following setup:

  1. NGINX reverse proxy set to do SSL offload. All internal communication goes through HTTP. The setup of the redirect is like this:

    proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection keep-alive; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Original-For $proxy_add_x_forwarded_for; proxy_set_header X-Original-Proto $scheme; proxy_cache_bypass $http_upgrade;

  2. IS4 has the following setup before app.UseIdentityServer

    var fordwardedHeaderOptions = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }; fordwardedHeaderOptions.KnownNetworks.Clear(); fordwardedHeaderOptions.KnownProxies.Clear(); app.UseForwardedHeaders(fordwardedHeaderOptions);

  3. On the client side RequireHttpsMetadata is being set to FALSE

  4. On the IS4 side all the Clients are configured to have HTTPS addresses for "RedirectUris" and "PostLogoutRedirectUris".

  5. On the Client side IdentityServerAuthenticationOptions are configured like this:

    new IdentityServerAuthenticationOptions { Authority = "https://[OAUTH_ADDRESS]", ApiName = "[API_NAME]", ApiSecret = "[API_SECRET]", RequireHttpsMetadata = false }

What actually happens is that when we try to visit one of our registered in IS4 Clients and the request is being redirected to IS4 for authentication we have "Unauthorized client" message screen. Furthermore after inspecting the query string of the redirected request we can see that the return URL is HTTP instead of HTTPS.

Please advise.

like image 795
Treach Avatar asked Oct 16 '17 14:10

Treach


2 Answers

The default behaviour of Identity Server's discovery endpoint is to use the scheme (Http vs Https) from the request that was made to the endpoint.

Since your identity server is being hit using HTTP (since it's behind the reverse proxy) the endpoint information it's giving out will also use HTTP.

You can see this for yourself by navigating to http://[OAUTH_ADDRESS]/.well-known/openid-configuration

The latest version of Identity Server includes an origin option that allows you to force the base url to HTTPS. Use as follows:

services.AddIdentityServer(options =>
    {
        options.PublicOrigin = "https://[OAUTH_ADDRESS]";
    })
like image 115
Ben Cull Avatar answered Oct 21 '22 15:10

Ben Cull


Your setup may vary but in case you are still on identityserver version < 2, i remember setting up RequireHeaderSymmetry = false as well worked for us

var forwardOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
    RequireHeaderSymmetry = false
};

forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardOptions);

The issue has been discussed in here as well

like image 22
Dan Dohotaru Avatar answered Oct 21 '22 15:10

Dan Dohotaru