-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Signing in users breaks when using backchannel proxy #551
Comments
Yes, we are set up correctly on the repro. Also recall that simply moving back to AzureAd method and to OpenIdConnectOptions with no other changes works perfectly. |
|
It does not make a difference. However, we did originally have that ordering, but after re-reading tratcher's comments from last year on the old issue mentioned above, it is clear that Configure has to come first because the backchannel HttpClient is consumed when the Options are initialized. Here if memory serves, |
@pmaytak Missed your second point. If OpenIdConnectOptions is used, the Configure code is not even hit. |
@Tratcher do you have an idea? |
Note to self: This is likely part of the problem. Line 242 in c83cb5d
|
No, here:
It's not using the back channel. Statics are bad... |
@mjnorman For now you'll need to set the proxy here: Do that really early in Startup or Main so that the statics pick it up. There should also be a way to set this from a config file, but you'd have to ask about that over at https://github.com/dotnet/runtime. @jmprieur the outbound network communication needs to be configurable for scenarios like this, we'll need to find a replacement for this static. |
@Tratcher This worked perfectly. I almost want to say this is might be a preferred method when everything outbound would need to go through a proxy such as CF instances with no internet connectivity, so you don't have to configure options individually, although I agree with your statement that it should be configurable in these options as well. public void ConfigureServices(IServiceCollection services)
{
Environment.SetEnvironmentVariable(HTTP_PROXY, GetProxyUri());
Environment.SetEnvironmentVariable(HTTPS_PROXY, GetProxyUri());
...
} |
Sure, something like that. |
@Tratcher can you please explain why that is the root cause and how the fix would allow us to use the backchannel configuration? |
The ConfigurationManager I linked to uses its own HttpClient instance with only the default proxy settings. It needs to be replaced by one that allows you to pass in the HttpClient like this: Until then the above workarounds that let you configure the default proxy for the whole application should work. |
I'd suggest using the same pattern as AspNet, injecting
|
For reference, I ended up having to use the following violent fix, since I cannot set proxy globally, most of my requests are done in the organization network and shouldn't use proxy. var configurationManagerFieldInfo = typeof(AadIssuerValidator).GetField("s_configManager", BindingFlags.Static | BindingFlags.NonPublic);
var configurationManager = configurationManagerFieldInfo?.GetValue(null);
var documentRetrieverFieldInfo = configurationManager?.GetType()
.GetField("_docRetriever", BindingFlags.Instance | BindingFlags.NonPublic);
var httpClientHandler = new HttpClientHandler();
// configure your httpClientHandler ...
documentRetrieverFieldInfo?.SetValue(configurationManager, new HttpDocumentRetriever(new HttpClient(httpClientHandler))); |
🤣 I have the same issue. A "less violent fix" is just to set NO_PROXY for your internal hosts. Comma delimited name of hosts to bypass proxy. Albeit a pain to manage that, but at any rate-- System.Environment.SetEnvironmentVariable(NO_PROXY, BuildNoProxyList()); |
@jennyf19
@Tratcher : what options would you see for |
Fair point, the backchannel options pattern pre-dates IHttpClientFactory and we've never reconciled them. Even when using IHttpClientFactory you'll want to expose a configurable name option to pass to CreateClient. Also, IHttpClientFactory isn't a default service, if you add it as a required constructor parameter then you'll need to also add it as a package dependency and register it in DI. Note there is no IHttpClient, only HttpClient (right?). |
Included in 1.2.0 release. |
Which version of Microsoft Identity Web are you using?
Note that to get help, you need to run the latest version.
0.3.1-preview
Where is the issue?
Is this a new or an existing app?
a. The app is in production and I have upgraded to a new version of Microsoft Identity Web.
Repro
I have a public repro which is mainly a new project created with
dotnet new mvc2 -singleauth
template, then modified to handle Cloud Foundry variable parsing to obtain proxy information, and create the back channel proxy. Relevant code for Proxy is below. -- repro hereI am not sure why, but simply changing back to
.AddAzureAD
, changing options toOpenIdConnectOptions
, and no other changes, the back channel communication works properly.Expected behavior
I would expect back channel behavior to work normally when access through a proxy is required to access metadata at login.microsoft.com.
Actual behavior
Receive an error below presumably due to some communication on the back channel not working through the proxy.
Additional context / logs / screenshots
There was an issue open under aspnetcore last year where I got the AzureAD piece working, that issue is dotnet/aspnetcore#20000, for reference.
The text was updated successfully, but these errors were encountered: