AWS Elastic Kubernetes: redirect_uri

[schwichti]

Hi.
I have adopted sid-kubernetes.yaml to deploy to an EKS cluster:

---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: v1
kind: Service
metadata:
  name: scim
  namespace: sid
spec:
  type: ClusterIP
  selector:
    app: scim-deploy
  ports:
    - name: http
      protocol: TCP
      port: 80
    - name: https
      protocol: TCP
      port: 443
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: v1
kind: Service
metadata:
  name: idserver
  namespace: sid
spec:
  type: ClusterIP
  selector:
    app: idserver-deploy
  ports:
    - name: http
      protocol: TCP
      port: 80
    - name: https
      protocol: TCP
      port: 443
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: v1
kind: Service
metadata:
  name: website
  namespace: sid
spec:
  type: ClusterIP
  selector:
    app: website-deploy
  ports:
    - name: http
      protocol: TCP
      port: 80
    - name: https
      protocol: TCP
      port: 443
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: v1
kind: Service
metadata:
  name: credentialissuer
  namespace: sid
spec:
  type: ClusterIP
  selector:
    app: credentialissuer-deploy
  ports:
    - name: http
      protocol: TCP
      port: 80
    - name: https
      protocol: TCP
      port: 443
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: v1
kind: Service
metadata:
  name: credentialissuerwebsite
  namespace: sid
spec:
  type: ClusterIP
  selector:
    app: credentialissuerwebsite-deploy
  ports:
    - name: http
      protocol: TCP
      port: 80
    - name: https
      protocol: TCP
      port: 443
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: scim-deployment
  namespace: sid
  labels:
    app: scim-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: scim-deploy
  template:
    metadata:
      labels:
        app: scim-deploy
    spec:  
      containers:
        - name: scim-deploy
          image: simpleidserver/scim:5.0.2
          ports:
            - containerPort: 80
          env:
            - name: "ASPNETCORE_URLS"
              value: "http://*:80;https://*:443"
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: "password"
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Path"
              value: "/certificates/sid.pfx"
            - name: "ASPNETCORE_FORWARDEDHEADERS_ENABLED"
              value: "true"
            - name: "StorageConfiguration__Type"
              value: POSTGRE
            - name: "StorageConfiguration__ConnectionString"
              valueFrom:
                secretKeyRef:
                  name: scim-config
                  key: StorageConfiguration__ConnectionString
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: idserver-deploy
  namespace: sid
  labels:
    app: idserver-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: idserver-deploy
  template:
    metadata:
      labels:
        app: idserver-deploy
    spec:
      containers:
      - name: idserver-deploy
        image: simpleidserver/idserver:5.0.2
        ports:
          - containerPort: 80
        env:
            - name: "ASPNETCORE_URLS"
              value: "http://*:80;https://*:443"    
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: "password"
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Path"
              value: "/certificates/sid.pfx"
            - name: "ASPNETCORE_FORWARDEDHEADERS_ENABLED"
              value: "true"
            - name: "StorageConfiguration__Type"
              value: POSTGRE              
            - name: "SCIMBaseUrl"
              value: "https://scim.mydomain.com"
            - name: "Authority"
              value: "https://idserver.mydomain.com"              
            - name: "SCIM__SCIMRepresentationsExtractionJobOptions__SCIMEdp"
              valueFrom:
                secretKeyRef:
                  name: idserver-config
                  key: StorageConfiguration__ConnectionString
            - name: "StorageConfiguration__ConnectionString"
              valueFrom:
                secretKeyRef:
                  name: idserver-config
                  key: StorageConfiguration__ConnectionString
            - name: "DistributedCacheConfiguration__ConnectionString"
              valueFrom:
                secretKeyRef:
                  name: idserver-config
                  key: StorageConfiguration__ConnectionString
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: website-deploy
  namespace: sid
  labels:
    app: website-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: website-deploy
  template:
    metadata:
      labels:
        app: website-deploy
    spec:  
      containers:
      - name: website-deploy
        image: simpleidserver/website:5.0.2
        ports:
        - containerPort: 80
        env:
        - name: "ASPNETCORE_URLS"
          value: "http://*:80;https://*:443"    
        - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
          value: "password"
        - name: "ASPNETCORE_Kestrel__Certificates__Default__Path"
          value: "/certificates/sid.pfx"
        - name: "ASPNETCORE_FORWARDEDHEADERS_ENABLED"
          value: "true"
        - name: "DefaultSecurityOptions__Issuer"
          value: "https://idserver.mydomain.com"
        - name: "DefaultSecurityOptions__IgnoreCertificateError"
          value: "true"
        - name: "IdServerBaseUrl"
          value: "https://idserver.mydomain.com"
        - name: "ScimBaseUrl"
          value: "https://scim.mydomain.com"
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: credentialissuer-deployment
  namespace: sid
  labels:
    app: credentialissuer-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: credentialissuer-deploy
  template:
    metadata:
      labels:
        app: credentialissuer-deploy
    spec:
      containers:
        - name: credentialissuer-deploy
          image: simpleidserver/credentialissuer:5.0.2
          ports:
            - containerPort: 80
          env:
            - name: "ASPNETCORE_URLS"
              value: "http://*:80;https://*:443"
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: "password"
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Path"
              value: "/certificates/sid.pfx"
            - name: "ASPNETCORE_FORWARDEDHEADERS_ENABLED"
              value: "true"
            - name: "Authorization__Issuer"
              value: "https://idserver.mydomain.com/master"
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: credentialissuerwebsite-deploy
  namespace: sid
  labels:
    app: credentialissuerwebsite-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: credentialissuerwebsite-deploy
  template:
    metadata:
      labels:
        app: credentialissuerwebsite-deploy
    spec:
      containers:
      - name: credentialissuerwebsite-deploy
        image: simpleidserver/credentialissuerwebsite:5.0.2
        ports:
          - containerPort: 80
        env:
            - name: "ASPNETCORE_URLS"
              value: "http://*:80;https://*:443"    
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Password"
              value: "password"
            - name: "ASPNETCORE_Kestrel__Certificates__Default__Path"
              value: "/certificates/sid.pfx"
            - name: "ASPNETCORE_FORWARDEDHEADERS_ENABLED"
              value: "true"
            - name: "DefaultSecurityOptions__Issuer"
              value: "https://idserver.mydomain.com"
            - name: "DefaultSecurityOptions__IgnoreCertificateError"
              value: "true"
            - name: "CredentialIssuerUrl"
              value: "https://credentialissuer.mydomain.com"
---
# Source: simpleidserver/templates/deployment.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simpleidserver
  namespace: sid
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ingress.kubernetes.io/ssl-redirect: "true"
spec:
  ingressClassName: nginx  
  tls:
  - hosts:
    - "scim.mydomain.com"
    - "idserver.mydomain.com"
    - "website.mydomain.com"
    - "credentialissuer.mydomain.com"
    - "credentialissuerwebsite.mydomain.com"
    secretName: "certificate" 
  rules:
  - host: "scim.mydomain.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: scim
            port:
              number: 80
  - host: "idserver.mydomain.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: idserver
            port:
              number: 80
  - host: "website.mydomain.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: website
            port:
              number: 80
  - host: "credentialissuer.mydomain.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: credentialissuer
            port:
              number: 80
  - host: "credentialissuerwebsite.mydomain.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: credentialissuerwebsite
            port:
              number: 80

When I open https://website.mydomain.com/master/clients in a web browser I am redirected to https://idserver.mydomain.com/master/authorization?client_id=SIDS-manager&redirect_uri=https%3A%2F%2Fwebsite.mydomain.com%2Fmaster%2Fsignin-oidc&response_type=code&scope=openid%20profile%20role&code_challenge=gfPa...&state=CfDJ...&x-client-SKU=ID_NET8_0&x-client-ver=8.0.0.0

which shows the following message:

{
  "error": "invalid_request",
  "error_description": "redirect_uri https://website.mydomain.com/master/signin-oidc is not correct",
  "state": "CfDJ8M...."
}

Am I suppose to set the redirect_uri? How can I set it?

[schwichti]

Interestingly, when I replace redirect_uri=https%3A%2F%2Fwebsite.mydomain.com%2Fmaster%2Fsignin-oidc by
redirect_uri=https%3A%2F%2Fwebsite.sid.svc.cluster.local%2Fmaster%2Fsignin-oidc in the url, I see the login-screen.

[simpleidserver]

Hello,

The redirect URL is indeed incorrect, and this value cannot be set in the kubernetes file directly 😢 .
I’ve created a new ticket, #811, to add the redirect URL configuration for the website in the appsettings.json file.
Once this is done, it will be possible to specify the redirect URL in the kubernetes file.

In the meantime, there are two ways to specify the redirect URL:

1. Edit the IdServerConfiguration.cs file (https://github.com/simpleidserver/SimpleIdServer/blob/master/src/IdServer/SimpleIdServer.IdServer.Startup/IdServerConfiguration.cs), and set the correct redirect URL in the SIDS-manager configuration.
2. Run the following SQL script in your PostgreSQL database:

UPDATE public."Clients" SET "RedirectionUrls" = 'https://localhost:5002/*,https://website.simpleidserver.com/*,https://website.localhost.com/*,http://website.localhost.com/*,https://website.sid.svc.cluster.local/*,https://website.mydomain.com/master/*'
WHERE "ClientId" = 'SIDS-manager'

KR,

SID

[schwichti]

I did the database update. Now, the website gives a server error 500. This is the log of the website:

fail: SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler[17]
      Exception occurred while processing message.
      Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 405. Content-Type: 
       ---> System.ArgumentNullException: IDX10000: The parameter 'json' cannot be a 'null' or an empty object.  (Parameter 'json')
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage..ctor(String json)
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest, String dpopNonce, OpenIdConnectConfiguration configuration) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 1419
         --- End of inner exception stack trace ---
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest, String dpopNonce, OpenIdConnectConfiguration configuration) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 1423
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.HandleRemoteAuthenticateAsync() in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 531
info: SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler[4]
      Error from RemoteAuthentication: Failed to parse token response body as JSON. Status Code: 405. Content-Type: .
fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
      An unhandled exception has occurred while executing the request.
      Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
       ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 405. Content-Type: 
       ---> System.ArgumentNullException: IDX10000: The parameter 'json' cannot be a 'null' or an empty object.  (Parameter 'json')
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage..ctor(String json)
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest, String dpopNonce, OpenIdConnectConfiguration configuration) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 1419
         --- End of inner exception stack trace ---
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest, String dpopNonce, OpenIdConnectConfiguration configuration) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 1423
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.HandleRemoteAuthenticateAsync() in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 531
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at SimpleIdServer.IdServer.Website.Middlewares.RealmMiddleware.InvokeAsync(HttpContext context) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.IdServer.Website\Infrastructures\RealmMiddleware.cs:line 77
         at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
fail: Microsoft.AspNetCore.Server.Kestrel[13]
      Connection id "0HN82UPNUPDHA", Request id "0HN82UPNUPDHA:00000002": An unhandled exception was thrown by the application.
      System.InvalidOperationException: The exception handler configured on ExceptionHandlerOptions produced a 404 status response. This InvalidOperationException containing the original exception was thrown since this is often due to a misconfigured ExceptionHandlingPath. If the exception handler is expected to return 404 status responses then set AllowStatusCode404Response to true.
       ---> Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
       ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Failed to parse token response body as JSON. Status Code: 405. Content-Type: 
       ---> System.ArgumentNullException: IDX10000: The parameter 'json' cannot be a 'null' or an empty object.  (Parameter 'json')
         at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectMessage..ctor(String json)
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest, String dpopNonce, OpenIdConnectConfiguration configuration) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 1419
         --- End of inner exception stack trace ---
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest, String dpopNonce, OpenIdConnectConfiguration configuration) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 1423
         at SimpleIdServer.OpenIdConnect.CustomOpenIdConnectHandler.HandleRemoteAuthenticateAsync() in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.OpenIdConnect\CustomOpenIdConnectHandler.cs:line 531
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at SimpleIdServer.IdServer.Website.Middlewares.RealmMiddleware.InvokeAsync(HttpContext context) in C:\Projects\SimpleIdServer\src\IdServer\SimpleIdServer.IdServer.Website\Infrastructures\RealmMiddleware.cs:line 77
         at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.HandleException(HttpContext context, ExceptionDispatchInfo edi)
         at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
         at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)

I am using the nginx ingress controller. Do I need some nginx settings?

[simpleidserver]

Could you check if the "token_endpoint" returned by this URL: https://idserver.mydomain.com/.well-known/openid-configuration is equal to something like https://idserver.mydomain.com/token?

[schwichti]

I believe you mean https://idserver.mydomain.com/master/.well-known/openid-configuration.
The response is:

{
  "token_endpoint": "http://idserver.mydomain.com/master/token",
}

Note its http and not https

[schwichti]

For https://idserver.mydomain.com/.well-known/openid-configuration I get 404.

[simpleidserver]

For some reason, I have a feeling that the X-Forwarded-Proto header is not set by Nginx because the configuration might be invalid.
Could you check the configuration and ensure the following parameter is set?

proxy_set_header X-Forwarded-Proto $scheme;

If this does not work, could you set the following environment variable under idserver-deploy ?

env:
            - name: "ForceHttps"
              value: "true" 

Thank you !

[schwichti]

/etc/nginx/nginx.conf of my nginx ingress controller has X-Forwarded-Proto set:

http {
	## start server website.mydomain.com
	server {
		server_name website.mydomain.com ;
		
		http2 on;
		
		listen 80  ;
		listen [::]:80  ;
		listen 443  ssl;
		listen [::]:443  ssl;
		
		set $proxy_upstream_name "-";
		
		ssl_certificate_by_lua_block {
			certificate.call()
		}
		
		location / {
			
			set $namespace      "sid";
			set $ingress_name   "simpleidserver";
			set $service_name   "website";
			set $service_port   "80";
			set $location_path  "/";
			set $global_rate_limit_exceeding n;
			
			rewrite_by_lua_block {
				lua_ingress.rewrite({
					force_ssl_redirect = false,
					ssl_redirect = true,
					force_no_ssl_redirect = false,
					preserve_trailing_slash = false,
					use_port_in_redirects = false,
					global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
				})
				balancer.rewrite()
				plugins.run()
			}
			
			# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
			# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
			# other authentication method such as basic auth or external auth useless - all requests will be allowed.
			#access_by_lua_block {
			#}
			
			header_filter_by_lua_block {
				lua_ingress.header()
				plugins.run()
			}
			
			body_filter_by_lua_block {
				plugins.run()
			}
			
			log_by_lua_block {
				balancer.log()
				
				plugins.run()
			}
			
			port_in_redirect off;
			
			set $balancer_ewma_score -1;
			set $proxy_upstream_name "sid-website-80";
			set $proxy_host          $proxy_upstream_name;
			set $pass_access_scheme  $scheme;
			
			set $pass_server_port    $server_port;
			
			set $best_http_host      $http_host;
			set $pass_port           $pass_server_port;
			
			set $proxy_alternative_upstream_name "";
			
			client_max_body_size                    1m;
			
			proxy_set_header Host                   $best_http_host;
			
			# Pass the extracted client certificate to the backend
			
			# Allow websocket connections
			proxy_set_header                        Upgrade           $http_upgrade;
			
			proxy_set_header                        Connection        $connection_upgrade;
			
			proxy_set_header X-Request-ID           $req_id;
			proxy_set_header X-Real-IP              $remote_addr;
			
			proxy_set_header X-Forwarded-For        $remote_addr;
			
			proxy_set_header X-Forwarded-Host       $best_http_host;
			proxy_set_header X-Forwarded-Port       $pass_port;
			proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
			proxy_set_header X-Forwarded-Scheme     $pass_access_scheme;
			
			proxy_set_header X-Scheme               $pass_access_scheme;
			
			# Pass the original X-Forwarded-For
			proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
			
			# mitigate HTTPoxy Vulnerability
			# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
			proxy_set_header Proxy                  "";
			
			# Custom headers to proxied server
			
			proxy_connect_timeout                   5s;
			proxy_send_timeout                      60s;
			proxy_read_timeout                      60s;
			
			proxy_buffering                         off;
			proxy_buffer_size                       128k;
			proxy_buffers                           4 128k;
			
			proxy_max_temp_file_size                1024m;
			
			proxy_request_buffering                 on;
			proxy_http_version                      1.1;
			
			proxy_cookie_domain                     off;
			proxy_cookie_path                       off;
			
			# In case of errors try the next upstream server before returning an error
			proxy_next_upstream                     error timeout;
			proxy_next_upstream_timeout             0;
			proxy_next_upstream_tries               3;
			
			# Custom Response Headers
			
			proxy_pass http://upstream_balancer;
			
			proxy_redirect                          off;
			
		}
		
	}
	## end server website.mydomain.com
	
}

[schwichti]

When I set ForceHttps=true, https://idserver.mydomain.com/.well-known/openid-configuration returns https URLs and I am able to login.