ASP.NET 5 OAuth redirect URI not using HTTPS

Question

I'm copying the Social Sample but trying to use a different OAuth provider not shown there, so I have some code like this:

app.UseOAuthAuthentication("test", options =>
{
     options.ClientId = "xxx";
     options.ClientSecret = "xxx";
     options.AuthorizationEndpoint = "xxx";
     options.TokenEndpoint = "xxx";
     options.CallbackPath = new PathString("/signin-test");
});

My app is running behind a reverse-proxy which terminates SSL. My redirect_uri then becomes something like http://myapp.com/signin-test when I need it to be https://myapp.com/signin-test.

All the app knows is if the X-Forwarded-Proto HTTP header is set to "http" or "https" but that doesn't seem to be detected.

Is there a way to force the CallbackPath to use HTTPS regardless of whether the request did? Or some other way to accomplish this?

I tried redirecting all requests to HTTPS but that didn't help:

app.Use(async (context, next) =>
{
    if ("https".Equals(context.Request.Headers["x-forwarded-proto"]))
    {
        await next();
    }
    else
    {
        var withHttps = "https://" + context.Request.Host + context.Request.Path;
        context.Response.Redirect(withHttps);
    }
});

Answer 1

The recommended approach is to manually change context.Request.Scheme to return https instead of http before invoking the rest of the pipeline (await next()):

app.Use(next => context => {
    if (string.Equals(context.Request.Headers["X-Forwarded-Proto"], "https", StringComparison.OrdinalIgnoreCase)) {
        context.Request.Scheme = "https";
    }

    return next(context);
});

FYI, the ASP.NET team is currently working on a middleware that would automate this task: https://github.com/aspnet/BasicMiddleware/pull/1/files