Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Remove ForceHttpsRedirectUris #223

Closed
Tratcher opened this issue Jun 19, 2020 · 2 comments
Closed

[Bug] Remove ForceHttpsRedirectUris #223

Tratcher opened this issue Jun 19, 2020 · 2 comments

Comments

@Tratcher
Copy link

https://github.com/AzureAD/microsoft-identity-web/pull/202/files#diff-f39916663b976a444b0a47747df21822R62 Added ForceHttpsRedirectUris to work around scenarios where the app is behind a reverse proxy. This is an incomplete workaround for the scenario and should be removed. E.g. other components that depend on the request scheme still do not get the correct value like cookies.

The AspNetCore guidance for working with proxies is here:
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1

  • Address the issue centrally by using UseForwardedHeaders to fix up the request fields like scheme.
  • Do not add workarounds to individual components.

The container scenario should have been addressed by default in .NET Core 3.0.
https://devblogs.microsoft.com/aspnet/forwarded-headers-middleware-updates-in-net-core-3-0-preview-6/

@jennyf19 jennyf19 added .NET Core 5 bug Something isn't working labels Jun 19, 2020
@jennyf19 jennyf19 added this to the 0.2.0-preview milestone Jun 19, 2020
@Tratcher
Copy link
Author

Tratcher commented Jun 19, 2020

MicrosoftIdentityOptions.RedirectUri seems like it's trying to address the same problem and should also be removed.

/// <summary>
/// In a web app, gets or sets the RedirectUri (URI where the token will be sent back by
/// Azure Active Directory or Azure Active Directory B2C).
/// This property is exclusive with <see cref="RemoteAuthenticationOptions.CallbackPath"/> which should be used preferably if you don't want
/// to have a different deployed configuration from your developer configuration.
/// There are cases where RedirectUri is needed, for instance when you use a reverse proxy that transforms HTTPS
/// URLs (external world) to HTTP URLs (inside the protected area). This can also be useful for web apps running
/// in containers (for the same reasons).
/// If you don't specify the redirect URI, the redirect URI will be computed from the URL on which the app is
/// deployed and the CallbackPath.
/// </summary>
public string RedirectUri { get; set; }

Oh, and MicrosoftIdentityOptions.PostLogoutRedirectUri

/// <summary>
/// In a web app, gets or sets the PostLogoutRedirectUri.
/// This property is exclusive with <see cref="OpenIdConnectOptions.SignedOutCallbackPath"/> which should be used preferably if you don't want
/// to have a different deployed configuration from your developer configuration.
/// There are cases where PostLogoutRedirectUri is needed, for instance when you use a reverse proxy that transforms HTTPS
/// URLs (external world) to HTTP URLs (inside the protected area). This can also be useful for web apps running
/// in containers (for the same reasons).
/// If you don't specify the PostLogoutRedirectUri, it will be computed by ASP.NET Core using the SignedOutCallbackPath.
/// </summary>
public string PostLogoutRedirectUri { get; set; }

@jennyf19
Copy link
Collaborator

Included in 0.2.0-preview release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants