AddOpenIdConnect options.Authority overriden with current host behind proxy (UseForwardedHeaders)

3
votes

I host my application behind reverse proxy inside container. I'm using IdentityServer4 and I'm trying to make oidc SSO with Azure AD. It works when the application is not using app.UseForwardedHeaders(opts), but I need them.

.NET Core version: 3.1

Forwarded headers configurations:

var opts = new ForwardedHeadersOptions
    {
        ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto |
                           ForwardedHeaders.XForwardedHost
    };
opts.KnownProxies.Add(ipAddress);
app.UseForwardedHeaders(opts);

OpenID Connect Configurations:

services.AddAuthentication( options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}
    )
    .AddOpenIdConnect("aadrm", "Azure AD", options =>
    {
        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
        options.SignOutScheme = IdentityServerConstants.SignoutScheme;

        options.Authority = "https://login.microsoftonline.com/{tenantID...}/v2.0";
        
        options.ClientId = ".....";
        options.ClientSecret = @"........";
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken; 
    });

My Controller Action:

[HttpGet]
public IActionResult ExternalLoginChallenge(string provider, string returnUrl)
{
    var callbackUrl = Url.Action(nameof(ExternalLoginCallback));

    var props = new AuthenticationProperties
    {
        RedirectUri = callbackUrl,
        Items =
        {
            { "scheme", provider },
            { "returnUrl", returnUrl }
        }
    };

    return Challenge(props, provider);
}

When I initiate the sign in process it should redirect me to the Microsoft's sign in page, but instead it redirects me back to my host with this url: https://mylocalapp.com:443/{tenantId}/oauth2/v2.0/authorize?client_id=...&redirect_uri=HTTPS%3A%2F%2Fmylocalapp.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=........&state=............&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.8.0.0

When I remove app.UseForwardedHeaders(opts) it works normally (redirects me to MS login page). It seems that UseForwardedHeaders overrides the OpenIdConnect Authority Address host.

Can you help me, I don't understand why it redirects me back to my host?

Thanks.

1
dockerasp.net-coreidentityserver4reverse-proxyopenid-connect

1 Answers

0
votes

I've fount the issue and here is the solution, just in case someone is using IIS as reverse proxy in their local setup.

The issue was caused by the IIS reverse proxy configurations, that I'm using locally - Application Request Routing -> Server Proxy Settings -> Reverse rewrite host in response headers.

enter image description here