3

Our ASP .Net Core (Razor) application is hosted in AWS and placed after a LoadBalancer (https). I know there is bug where urls are always unsecure with LoadBalancer. A rewrite rule was intregrated like described here: https://stackoverflow.com/a/46719766/3835956

But we are using the Azure Authentication to connect to our Active Directory and the forwarding (reply url) will always redirect to an unsecure http address. Okay, the url will be rewritten to https but for a short time the http address is called and the process is unsecure. I have to add the url with http and https to the list of reply urls in the Azure Application properties to log in.

The authentication is configured this way:

    public void ConfigureServices(IServiceCollection services)
    {
        [...]

        services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

        services.AddMvc(options =>
        {
            var policy = new AuthorizationPolicyBuilder()
                .RequireAuthenticatedUser()
                .Build();
            options.Filters.Add(new AuthorizeFilter(policy));
        })         
        .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        [...]

        // Fix for AWS LoadBalancer to rewrite url back to https
        // https://stackoverflow.com/a/46719766/3835956
        var options = new RewriteOptions()
            .AddRedirectToProxiedHttps()
            .AddRedirect("(.*)/$", "$1");  // remove trailing slash
        app.UseRewriter(options);

        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseSession();
        app.UseAuthentication();

        app.UseMvc();
    }

The list of reply urls in Azure Application is for now:

Azure Application reply urls

Is there a trick to point Azure to the correct reply url? Thanks alot.

Update 1:

The appsettings.json looks like this:

{
  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "domain.com",
    "TenantId": "abc-123",
    "ClientId": "abc-123",
    "CallbackPath": "/signin-oidc"
  },
  [...]
  "AllowedHosts": "*"
}
Mathias Müller
  • 303
  • 3
  • 12
  • I'm guessing your app is specifying the redirect_uri as the HTTP version. Have to somehow make the app aware that its URL is actually HTTPS even though it receives the traffic as HTTP from the load balancer. – juunas Aug 09 '18 at 07:44
  • Please clarify: Are the urls generated by the application http? Or is just the traffic between Proxy and your app http? Later one isn't an issue, as long as the `X-Forwarded-Proto` and `X-Forwarded-For` (or was it `X-Forwarded-Host`?) are correctly redirected to your app, your app will still treat the connection as secure (authentication and RequireHttps attribute would otherwise redirect or fail) – Tseng Aug 09 '18 at 07:44
  • The site's url is http and generated hosted behind a load balancer working with https and the companies domain. Therefore the appliaction don't know the correct url of the load balancer. The traffic between app and load balancer should be http. @Tseng And you mean the traffic is safe? But I have to add the http url to azure list. – Mathias Müller Aug 09 '18 at 08:07
  • Mind to post (the relevant parts of) your appsettings.json? Could it be you are having the return url set as http in there? You are loading the things here `.AddAzureAD(options => Configuration.Bind("AzureAd", options));` but we don't see what you have in that appsettings.json's section. The return url is usually always hardcoded (config or in code9 part of the authentications middleware – Tseng Aug 09 '18 at 08:21
  • I added the appsettings.json but there is no return url. The domain is the link to the corresponding Azure instance, I think. – Mathias Müller Aug 09 '18 at 08:29
  • Then try using a full-qualifed url in `CallbackPath` like `https://example.com/signin-oidc` – Tseng Aug 09 '18 at 08:43
  • Other than that, you usually configure it on per app basis (means: The redirect url on Azure AD config pages). So if you are using the same client-id on development AND on production application, you're doing it wrong. That should be treated as two separate applications (with distinct client ids) within Azure AD – Tseng Aug 09 '18 at 08:54
  • You mean I should separate production, development (test in web) and local development (localhost)? – Mathias Müller Aug 09 '18 at 09:14
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/177705/discussion-between-mathias-muller-and-tseng). – Mathias Müller Aug 09 '18 at 09:17
  • 2
    Were you ever able to find a solution? We've got the same issue here. – Kevin R. Jun 07 '19 at 17:55
  • No, sorry there was no solution. The project was cancelled. – Mathias Müller Jun 07 '19 at 21:03

1 Answers1

1

I was stuck with the same problem as you, and then I found this documentation: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1#scenarios-and-use-cases

I then added the following at the top of the method:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
   app.Use((context, next) =>
   {
       context.Request.Scheme = "https";
       return next();
   });

// other stuff omitted
}

And it fixed the problem. The redirect URL is now HTTPS.

Francois
  • 23
  • 1
  • 4