Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong configuration when running behind https load balancer #363

Closed
jayrulez opened this issue Feb 23, 2017 · 4 comments
Closed

Wrong configuration when running behind https load balancer #363

jayrulez opened this issue Feb 23, 2017 · 4 comments
Labels
invalid

Comments

@jayrulez
Copy link

If https is used to access the configuration e.g:
https://account.caricoin.com/.well-known/openid-configuration

I expect the configured endpoints to show https. Instead, they are showing http.

{"issuer":"http://account.caricoin.com/","authorization_endpoint":"http://account.caricoin.com/connect/authorize","token_endpoint":"http://account.caricoin.com/connect/token","introspection_endpoint":"http://account.caricoin.com/connect/introspect","end_session_endpoint":"http://account.caricoin.com/connect/logout","userinfo_endpoint":"http://account.caricoin.com/userinfo","jwks_uri":"http://account.caricoin.com/.well-known/jwks","grant_types_supported":["authorization_code","refresh_token","client_credentials"],"response_types_supported":["token","code","code token","id_token","id_token token","code id_token","code id_token token"],"response_modes_supported":["form_post","fragment","query"],"scopes_supported":["openid","profile","email","phone","roles","offline_access"],"id_token_signing_alg_values_supported":["RS256"],"code_challenge_methods_supported":["S256"],"subject_types_supported":["public"]}

The application is running on http://localhost:5005 on the server behind the load balancer which is accessed via https (typical reverse proxy setup).
@kevinchalet
Copy link
Member

Not an OpenIddict issue. Your app is simply not configured to restore the real scheme from the proxy headers.

Read aspnet/Security#929 for more information.

@AndreyKrivcov
Copy link

Hi @kevinchalet, can you please suggest me, how to fix similar problem. I configured my project to have correct schema, host and PathBase:

app.Use((context, next) =>
    {
        if (context.Request.Headers.TryGetValue("X-Forwarded-Proto", out var scheme))
            context.Request.Scheme = scheme.ToString();
        if (context.Request.Headers.TryGetValue("X-Forwarded-Host", out var host))
            context.Request.Host = new HostString(host.ToString());
        if (context.Request.Headers.TryGetValue("X-Forwarded-Prefix", out var prefix))
            context.Request.PathBase = prefix.ToString();

        return next();
    });

But in .well-known/openid-configuration, I have a wrong response for authorization_endpoint, token_endpoint and end_session_endpoint: endpoints.

I suppose that it will be:

But I have following response

{
    "issuer": "http://dev.myhostname.ru/authorization/",
    "authorization_endpoint": "http://dev.myhostname.ru/connect/authorize",
    "token_endpoint": "http://dev.myhostname.ru/connect/token",
    "end_session_endpoint": "http://dev.myhostname.ru/connect/logout",
    "jwks_uri": "http://dev.myhostname.ru/authorization/.well-known/jwks",
    "grant_types_supported": [
        "client_credentials",
        "implicit",
        "password",
        "refresh_token"
    ],
    "response_types_supported": [
        "id_token",
        "id_token token",
        "token"
    ],
    "response_modes_supported": [
        "form_post",
        "fragment"
    ],
    "scopes_supported": [
        "openid",
        "offline_access"
    ],
    "claims_supported": [
        "aud",
        "exp",
        "iat",
        "iss",
        "sub"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "subject_types_supported": [
        "public"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post"
    ],
    "claims_parameter_supported": false,
    "request_parameter_supported": false,
    "request_uri_parameter_supported": false,
    "authorization_response_iss_parameter_supported": true
}

The difference is in the /authorization/ part of the path. It keeps in the "Request.PathBase" according to my configuration and I can`t see it in this endpoints... Can you suggest me where is the exception?

I setup this endpoints in Program.cs:


 options.SetTokenEndpointUris(Endpoints.TokenEndpoint)
                .SetAuthorizationEndpointUris(Endpoints.AuthorizeEndpoint)
                .SetRefreshTokenLifetime(TimeSpan.FromMinutes(tokenSettings!.RefreshTokenLifetimeMinutes))
                .SetAccessTokenLifetime(TimeSpan.FromMinutes(tokenSettings!.AccessTokenLifetimeMinutes))
                .SetIdentityTokenLifetime(TimeSpan.FromMinutes(tokenSettings!.IdentityTokenLifetimeMinutes))
                .SetLogoutEndpointUris(Endpoints.LogoutEndpoint);

@kevinchalet
Copy link
Member

Hi @AndreyKrivcov,

6 year-old tickets are not monitored. If you need support, consider becoming a sponsor and opening a dedicated thread.

Cheers.

@AndreyKrivcov
Copy link

@kevinchalet It seems that I found an answer, thank you.

For other people who will have a similar problem:

the answer is here: #1613

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jayrulez @kevinchalet @AndreyKrivcov