Changing .Net Core OpenID Connect Authorization Flow 'redirect_uri' value

1
votes

I've configured a .Net Core Web app to use OpenID Connect for authentication using the Authorization Code model as per my IdP sample instructions (https://www.onelogin.com/blog/how-to-use-openid-connect-authentication-with-dotnet-core):

services.AddAuthentication(options => {
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o => {
    o.ClientId = "[Client ID]";
    o.ClientSecret = "[Client Secret]";
    o.Authority = "[Authority]";
    o.ResponseType = "code";
    o.GetClaimsFromUserInfoEndpoint = true;
});

Then my controller is set up to require authentication:

[Authorize]
public IActionResult About()
{
   ViewData["Message"] = "You must be authenticated to view the About page";
   return View();
}

I also have configured ngrok to provide a temporary public URL which should be used in the authentication flow redirect back to my site using:

ngrok http 5000 -host-header="localhost:5000"

This command successfully sets up the proxy and once running, I can browse to the site via the proxy url (e.g. https://75c97570.ngrok.io).

The issue I'm running into is that when I attempt to browse to the 'About' page I'm redirected to the IdP site and prompted to log-in as expected, however, the 'redirect_uri' value passed via the query string is my 'localhost' address (https://localhost:5000/signin-oidc) not the ngrok proxy address (https://75c97570.ngrok.io/signin-oidc). This is causing an issue because my IdP requires a non-local url (hence the ngrok proxy), so the redirect_uri value being passed (localhost) doesn't match the one configured in my IdP account (ngrok) and I receive an error message that the 'redirect_uri did not match any client's registered redirect_uris'.

I'm assuming this is a .Net configuration issue. Is there a way to tell .Net to use the ngrok proxy address for the 'redirect_uri' value on redirect as opposed to the localhost address? I've tried using the 'CallbackPath' option on the OpenID Connect configuration options, however it appears that this only allows for a sub-path of the current url (e.g. http://localhost:5000/[something]) and can't be used to specify a completely different url. Is there another way to configure the redirection to use the proxy url?

Thanks!

1
.net-coreopenid-connectonelogin

1 Answers

2
votes

Ok, after some digging I found one solution to this issue. I added the following code to the initialization of my OpenIdConnect service:

.AddOpenIdConnect(o => {

...(snip)...

    o.Events.OnRedirectToIdentityProvider = (context) =>
    {
        context.ProtocolMessage.RedirectUri = "https://75c97570.ngrok.io/signin-oidc";

        return Task.FromResult(0);
    };

...(snip)...

}

This does the trick of changing the 'redirect_uri' value which is passed to my IdP on the redirect. Not sure if this is the best way to handle this, however it does work.