CODEWITHSUNDEEP
identityserver4
Dev4x
Dev4x

Reputation: 23

IdentityServer4 works only with HTTPS

I'm migrating from Identity Server 3 to 4. I'm having trouble running Identity Server 4 without HTTPS in local development environment. With HTTPS - everything works fine. Without it the user is not authenticated and just redirected to the login page. The cookie is not set.

I know Identity Server 3 used to have the RequireSsl option that is now gone. I've searched the docs for hours but came with nothing.

I'm on IdentityServer4 4.1.1 and AspNet Core 3.1 My Startup.cs looks like this:

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddIdentityServer()
                .AddInMemoryClients(Clients.Get())
                .AddInMemoryIdentityResources(Configs.Resources.GetIdentityResources())
                .AddInMemoryApiResources(Configs.Resources.GetApiResources())
                .AddInMemoryApiScopes(Configs.Resources.GetApiScopes())
                .AddTestUsers(Users.Get())
                ..AddDeveloperSigningCredential();

            services.AddControllersWithViews();

            services.AddMvc(options => options.EnableEndpointRouting = false);
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            app.UseRouting();

            app.UseIdentityServer();
            app.UseAuthorization();

            app.UseEndpoints(endpoints => endpoints.MapControllers());

            app.UseStaticFiles();
            app.UseMvcWithDefaultRoute();
        }

What am I missing?

Upvotes: 2

Views: 1958

Answers (1)

d_f
d_f

Reputation: 4859

I guess, you try it in Chrome. When you open dev console (F12) most likely you find the warnings that SameSite=None cookie must be secure.

If my above guess is right, there could two possible causes: you use customized CookieAuthenticationOptions where you explicitly set options.Cookie.SameSite = SameSiteMode.None (looking at your startup you don't), or the default one is not good for your configuration.

You can tweak it like below:

services.AddIdentityServer(options =>
{
    options.Authentication.CookieSameSiteMode = SameSiteMode.Lax;
})

Will work on localhost, will block silent refresh for clients hosted beyond your IdSrv's root domain. So you have to choose whether you prefer Lax for production, or just for home playground (but in general None it not recommended anywhere).

Upvotes: 2

Related Questions