Getting The page was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint '.well-known/openid-configuration'

Question

So I have an ASP.Net Core Hosted Blazor Web Assembly project using Identity Server 4 to manage my logins and registration and when I am debugging and I try to log into my app, the endpoint '.well-known/openid-configuration' is served over HTTPS but when I run the published version of it in Docker it is served over HTTP and causing my login page not to work. How can I get it to be served over HTTPS?

The full error is: AuthenticationService.js:1 Mixed Content: The page at 'https://musicfusion.app/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://musicfusion.app/.well-known/openid-configuration'. This request has been blocked; the content must be served over HTTPS.

Edit: My Startup.cs

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Identity.UI;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.ResponseCompression;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using System.Linq;
using Soundbox.Server.Data;
using Soundbox.Shared;
using System;
using Blazored.Toast;
using test.Server.Hubs;
using Microsoft.AspNetCore.Identity.UI.Services;
using test.Server.Services;
using Microsoft.AspNetCore.HttpOverrides;

namespace test.Server
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

    public IConfiguration Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlite("Data Source=/data/test.db"));
        services.AddBlazoredToast();
        services.Configure<APIKeys>(this.Configuration.GetSection("APIKeys"));
        services.Configure<AuthMessageSenderOptions>(this.Configuration.GetSection("Emails"));
        services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders =
                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
        });
        services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
            .AddEntityFrameworkStores<ApplicationDbContext>();

        services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

        services.AddAuthentication()
            .AddIdentityServerJwt();

        //services.AddCors(options =>
        //{
        //    options.AddPolicy("AllowSpecificOrigin",
        //            builder =>
        //            {
        //                builder
        //                .AllowAnyOrigin()
        //                .AllowAnyMethod()
        //                .AllowAnyHeader();
        //            });
        //});

        services.AddControllersWithViews();

        // requires
        // using Microsoft.AspNetCore.Identity.UI.Services;
        // using WebPWrecover.Services;
        services.AddTransient<IEmailSender, EmailSender>();

        services.AddRazorPages();
        services.AddSignalR();
        services.AddResponseCompression(opts =>
        {
            opts.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
                new[] { "application/octet-stream" });
        });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseResponseCompression();
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseDatabaseErrorPage();
            app.UseWebAssemblyDebugging();
        }
        else
        {
            app.UseExceptionHandler("/Error");
            // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseBlazorFrameworkFiles();
        app.UseStaticFiles();


        //app.UseCors("AllowSpecificOrigin");
        app.UseRouting();

        app.UseIdentityServer();
        app.UseForwardedHeaders(new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        });
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages();
            endpoints.MapControllers();
            endpoints.MapHub<PlaylistHub>("/playlisthub");
            endpoints.MapFallbackToFile("index.html");
        });

        UpdateDatabase(app);
    }

    private static void UpdateDatabase(IApplicationBuilder app)
    {
        using (var serviceScope = app.ApplicationServices
            .GetRequiredService<IServiceScopeFactory>()
            .CreateScope())
        {
            using (var context = serviceScope.ServiceProvider.GetService<ApplicationDbContext>())
            {
                context.Database.Migrate();
            }
        }
    }
}
}

Answer 1

@Carl and @Jared are correct but simply forcing HTTPS won't work if you are behind a load balancer or something similar.

https://leastprivilege.com/2017/10/09/new-in-identityserver4-v2-simplified-configuration-behind-load-balancers-or-reverse-proxies/

Example request via https that serves endpoint links in http from app hosted in GCP Cloud Run. Exact same code served https endpoints in Azure and IIS.

Recommended approach is using PublicOrigin in IdentityServer4:

app.Use(async (ctx, next) =>
{
    ctx.SetIdentityServerOrigin("https://example.com");
    await next();
});

or

app.Use(async (ctx, next) =>
{
    ctx.Request.Scheme = "https";
    ctx.Request.Host = new HostString("example.com");
    
    await next();
});

https://github.com/IdentityServer/IdentityServer4/issues/4535#issuecomment-647084412

Answer 2

If you are using IdentityServer4 then you can put this in your startup:

app.Use(async (ctx, next) =>
{
    ctx.Request.Scheme = "https";
    await next();
});

It will then make Identity Server use https for all links that it creates. This helped a lot as I'm using a reverse proxy

Answer 3

The solution to this was to have Cloudflare force all traffic to be HTTPS.

Edit: to get it right, follow this tutorial: https://blog.cloudflare.com/how-to-make-your-site-https-only/

Answer 4

I was struggling with this too. Finally came up with a solution. In Startup.ConfigureServices, add the IdentityServer options like this:

        services.AddIdentityServer(options =>
        {
            options.PublicOrigin = Configuration["PublicOrigin"];
        })

Then put the public HTTPS origin in your appsettings.json (e.g. "PublicOrigin": "https://example.com").

Answer 5

Adding the following line to startup.cs in the server project seems to have fixed the issue for me:

app.Use((ctx, next) => { ctx.SetIdentityServerOrigin("https://www.my-domain-name-here.co.uk"); return next(); });