I host my application behind reverse proxy inside container. I'm using IdentityServer4 and I'm trying to make oidc SSO with Azure AD. It works when the application is not using app.UseForwardedHeaders(opts), but I need them.
.NET Core version: 3.1
Forwarded headers configurations:
var opts = new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto |
ForwardedHeaders.XForwardedHost
};
opts.KnownProxies.Add(ipAddress);
app.UseForwardedHeaders(opts);
OpenID Connect Configurations:
services.AddAuthentication( options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
}
)
.AddOpenIdConnect("aadrm", "Azure AD", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "https://login.microsoftonline.com/{tenantID...}/v2.0";
options.ClientId = ".....";
options.ClientSecret = @"........";
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
});
My Controller Action:
[HttpGet]
public IActionResult ExternalLoginChallenge(string provider, string returnUrl)
{
var callbackUrl = Url.Action(nameof(ExternalLoginCallback));
var props = new AuthenticationProperties
{
RedirectUri = callbackUrl,
Items =
{
{ "scheme", provider },
{ "returnUrl", returnUrl }
}
};
return Challenge(props, provider);
}
When I initiate the sign in process it should redirect me to the Microsoft's sign in page, but instead it redirects me back to my host with this url: https://mylocalapp.com:443/{tenantId}/oauth2/v2.0/authorize?client_id=...&redirect_uri=HTTPS%3A%2F%2Fmylocalapp.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile&response_mode=form_post&nonce=........&state=............&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.8.0.0
When I remove app.UseForwardedHeaders(opts) it works normally (redirects me to MS login page). It seems that UseForwardedHeaders overrides the OpenIdConnect Authority Address host.
Can you help me, I don't understand why it redirects me back to my host?
Thanks.