Reputation: 41
OrchardCore OpenId /authorize redirects to http (instead of https)
I'm currently running an OrchardCore CMS as OpenID Provider behind a nginx reverse proxy. I've entered the https URL as BaseUrl and Authority and a call to /openid-configurationstates all correct urls (Authorization Code with PKCE).
But on signing in, I get the following response:
GET https:.../connect/authorize => 302 location: http://../connect/authorize?request_id=...
GET http://../connect/authorize?request_id=... => 302 location: https://../connect/authorize?request_id=...
So basically it goes from https to http to https. Beside this being a potential security risk, it does not work with silent_renew as it uses an iframe where the browser blocks the request (correctly) stating that mixed content is not allowed.
This seems to be related to the reverse proxy, as it works correctly when hosted without it.
Any idea what I might be missing?
Upvotes: 0
Views: 523
Answers (1)
Reputation: 41
Just for reference:
Orchard Core has a feature/module 'Reverse Proxy Configuration'. This allows you to enable the header X-Forwarded-For, X-Forwarded-Proto and X-Forwarded-Host forwarding which fixed my problem.
Upvotes: 4
Related Questions
- OpenIdConnect redirects to http instead of https
- Redirect URI sent as HTTP and not HTTPS in app running HTTPS
- Why is IdentityServer redirecting to http rather than https?
- WebApp behind IIS reverse proxy sets wrong signin_oidc redirect_uri while authenticating against external IdentityServer via OIDC
- AzureAD middleware breaking because of HTTP/HTTPS redirectUri issue
- IdentityServer4 throws HTTP 404 when redirecting to /sigin-oidc
- AspNetCore Azure AD Connect Callback URL is http, not https
- ASP.NET Core app is behind a ssl proxy server and Reply to URL is http:// not https://
- How to remove SSL redirect in Orchard site using backend?
- OpenId Connect Owin Middleware with Orchard CMS 1.9.2