CODEWITHSUNDEEP
c#asp.net-coreopenid-connectokta
MateoSkyline
MateoSkyline

Reputation: 367

OpenIdConnect redirects to http instead of https

I have a problem with integration an ASP.NET CORE 5.0 web application with OKTA. My company needs all web apps to be integrated with OKTA. This app I wrote about is hosted on Fargate cluster as Linux container (and will use Application Load Balancer + AWS certificate to use HTTPS). Container runs on HTTP and it's redirected to HTTPS by ALB.

When I access application hostname (https://exampleapp.companyname.com) it tries to redirect me to following link:

https://dev-1234567.okta.com/oauth2/default/v1/authorize?client_id=xyz&redirect_uri=http://exampleapp.companyname.com/signin-oidc&response_type=code&scope=openid profile email&code_challenge=xyz&code_challenge_method=S256&response_mode=form_post&nonce=xyz&x-client-ver=6.7.1.0

As you can see, this redirect_uri point me to http endpoint which gives me error 400 (Because in Okta I have no http Sign-in redirect URI specified, only HTTPS).

Why Okta tries to redirect me to http:// when I access page from https://? If I try to add http:// address to Okta Sign-in URI's, when I try to access page this error occurs:

The information you’re about to submit is not secure

and when I click "Send anyway" button, page shows ASP.NET CORE error:

System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: OpenIdConnectAuthenticationHandler: message.State is null or empty.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

How can I make it work on this environment? At localhost everything works like a charm, HTTP and HTTPS. Before, I had to do some tricks with cookies (SameSiteModes etc) because page showed me an Corellation errors.

This is my ConfigureServices in Startup.cs used in project:

public void ConfigureServices(IServiceCollection services)
        {
            services.AddRazorPages();

            services.AddAuthentication(options =>
            {
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
            })
            .AddCookie(options =>
            {
                options.Cookie.SameSite = SameSiteMode.Lax;
            })
            .AddOpenIdConnect(options =>
            {
                options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
                options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.Authority = oktaOrgUri;
                options.RequireHttpsMetadata = true;
                options.ClientId = oktaClientId;
                options.ClientSecret = oktaClientSecret;
                options.ResponseType = OpenIdConnectResponseType.Code;
                options.GetClaimsFromUserInfoEndpoint = true;
                options.Scope.Add("openid");
                options.Scope.Add("profile");
                options.Scope.Add("email");
                options.SaveTokens = true;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(oktaClientSecret)),
                    NameClaimType = "name",
                    RoleClaimType = "groups",
                    ValidateIssuer = true
                };
            });

            services.AddAuthorization();
        }

oktaOrgUri = https://dev-1234567.okta.com/oauth2/default
oktaClientId and oktaClientSecret filled with values from Okta

Then Configure in Startup.cs

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            app.UseStaticFiles();

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapRazorPages();
            });
        }

Upvotes: 4

Views: 5123

Answers (2)

Hosuing
Hosuing

Reputation: 1

Before calling ChallengeAsync use setting IsHttps to true.

HttpContext.Request.IsHttps = true;

await HttpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);

Upvotes: 0

MateoSkyline
MateoSkyline

Reputation: 367

With some help from my colleagues I've managed to solve this.

Resolution is adding this part of code to Configure section of Startup.cs

app.Use((context, next) =>
{
    context.Request.Scheme = "https";
    return next();
});

With this, my application is always using https scheme and it no more makes problems with connecting to the Okta.

Upvotes: 1

Related Questions