Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecureg redirect_uri when running https website under nginx on Linux #3170

Open
jjxtra opened this issue Dec 25, 2024 · 0 comments
Open

Insecureg redirect_uri when running https website under nginx on Linux #3170

jjxtra opened this issue Dec 25, 2024 · 0 comments
Labels
needs attention untriaged

Comments

@jjxtra
Copy link

jjxtra commented Dec 25, 2024
edited
Loading

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

3.5.0

Web app

Sign-in users

Web API

Protected web APIs (validating tokens)

Token cache serialization

Not Applicable

Description

Am using AddMicrosoftIdentityWebApp in my .NET 9 ASP.NET web application to sign in with Microsoft. It all works fine when debugging locally with localhost (since it's http) and even in iis, where I have an SSL certificate setup and it uses https properly.

However, when running under nginx, it uses a plain text http redirect_uri, even though the browser url is https. I've verified nginx is forwarding the correct headers such as proto, x-forwarded-for, etc, and these are configured in my asp.net pipeline as forwarded headers.

Reproduction steps

Run this project under nginx with an https website setup: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-1-MyOrg

Notice the redirect_uri sent to the authorize end point is plain http, even though browser specified https.

Error message

Microsoft identity server ends up complaining about a redirect_uri that doesn't match, because the C# code sent an http uri.

Id Web logs

N/A

Relevant code snippets

// this workaround fixes the incorrect http redirect_uri sent to Microsoft
options.Events = new OpenIdConnectEvents
{
    OnRedirectToIdentityProvider = context =>
    {
        if (context.ProtocolMessage.RedirectUri.StartsWith("http://", StringComparison.OrdinalIgnoreCase) &&
            !context.ProtocolMessage.RedirectUri.StartsWith("http://localhost:", StringComparison.OrdinalIgnoreCase))
        {
            var redirectUri = new UriBuilder(context.ProtocolMessage.RedirectUri)
            {
                Scheme = "https"
            };
            if (redirectUri.Port == 80)
            {
                redirectUri.Port = -1; // leave port off, default 443 https
            }
            context.ProtocolMessage.RedirectUri = redirectUri.ToString();
        }
        return Task.CompletedTask;
    }
};

Regression

No response

Expected behavior

If the browser url is https, the C# code should always send an https redirect_uri.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs attention untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jjxtra