ASP.NET Core app is behind a ssl proxy server and Reply to URL is http:// not https://

Question

I have an ASP.NET Core Application on an IIS server listening on whatever.domain.com/virtual-dir usings . The outside world accesses it through a ssl accelerator. Its using Microsoft.AspNetCore.Authentication.OpenIdConnect for OpenId authentication through AzureAd.

Because of the SSL proxy the app things its base address scheme is http as opposed to https (http://whatever.domain.com/virtual-dir vs https://whatever.domain.com/virtual-dir. This leads to it sending a reply-to address of http://whatever.domain.com/virtual-dir/signin-oidc as opposed to https://whatever.domain.com/virtual-dir/signin-oidc. I can modify the callback endpoint with OpenIdConnectOptions.CallbackPath, but that is only relative to the base Url. How do I change the base url?

Answer 1

Directions for this is here:

https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-2.1#when-it-isnt-possible-to-add-forwarded-headers-and-all-requests-are-secure

Breakdown:

1. You're proxy needs to set three Http Headers, X-Forwarded-For, X-Forwarded-Proto and X-Forwarded-Host
2. You need to configure ForardHeaderOptions. In theory IIS should do this for you.
3. In Startup.Configure() you need to call app.UseForwardedHeaders(); before app.UseAuthentication() so the the Request base is rewritten.

Answer 2

Don't do this. This is a bad idea.

The best way I've figured out how to do this so far is to set OpenIdConnectOptions.Events.OnRedirectToIdentityProvider to a function and in that function you can edit the ProtocolMessage.RedirectUri in the RedirectContext parameter that gets passed.

/// <seealso cref="OpenIdConnectEvents.OnRedirectToIdentityProvider"/>
public async Task OnRedirectToIdentityProvider(RedirectContext redirectContext)
{
       redirectContext.ProtocolMessage.RedirectUri =
           "https://whatever.domain.com/virtual-dir";
}