IdentityServer 4 : connect/authorize/callback address not found behind Nginx reverse proxy

Question

hi i am new in identityserver 4 and trying to deploy my test project on the server. i have client ids and api project which are dockerized. after playing around with identity server 4 and nginx reverse proxy configuration finally every thing work properly except the redirect callback after login.

STORY :

in my reverse proxy i have 3 upstreams as follow :

1. Client APP which is accessible by url https ://xxx.com/ itself. and it is configured as

   location / {
                    proxy_pass http ://Client;
                    proxy_buffering off;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Port $server_port;
    
                    fastcgi_buffers 16 16k;
                    fastcgi_buffer_size 32k;
    
            }

i added the below code to pipe line to set the original url. without this i got invalid redirect uri (in configuration setup i set it with proper address but in error it shows it trying to redirect to https ://Client/signin-iodc)

app.Use(async (ctx, next) =>
{
    ctx.Request.Scheme = "https";
    ctx.Request.Host = new HostString("xxx.com");
    
    await next();
});

2. Identity Server 4 that is accessible by base URL https ://xxx.com/identity and also i can get the configuration properly with proper addresses. it is configured as

location /identity/ {
                proxy_pass http ://Identity/;

                proxy_buffering off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Port $server_port;

                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;

        }

same here added the below code to pipe line to set the original url for Identity server

app.Use(async (ctx, next) =>
{
    ctx.Request.Scheme = "https";
    ctx.Request.Host = new HostString("xxx.com/identity/");
    
    await next();
});

without this in openid-configuration i had the wrong addresses like https ://identity/connect....

3. Api resource which is not the problem here and it accessible on url https ://xxx.com/api/....

---

UPSTREAMS:

upstream Client{
        zone Client 64k;
        server localhost:5001;
}



upstream Identity{

        zone Identity 64k;
        server localhost:9001;
}

---

Problem:

now with this config everything works. i redirect to login page with proper url

https ://xxx.com/identity/Account/Login?ReturnUrl=%......

but after login it should go for

https ://xxx.com/identity/connect/authorize/callback?client_id=

but it redirects to

https ://xxx.com/connect/authorize/callback?client_id=

which not valid and obviously i get page can’t be found.

if i add identity to the same url it works properly and go to the home page of client since i have cookies and authorized.

i dont know if i messed up something here by adding the middle-ware for origin url or i missed some configuration in nginx.

Answer 1

the problem was in my middleware pipeline. before i had defined the base url for my identity server as

app.Use(async (ctx, next) => 
{ 
    ctx.Request.Scheme = "https"; 
    ctx.Request.Host = new HostString("xxx.com/identity/");
    
    await next(); 
});

which was ok. i got the correct discovery configuration with correct urls and also redirect to correct url for login and span around identityserver without problem except the connect/authorize on redirect after login as i explained in the question.

i changed it as follow:

app.Use(async (ctx, next) => 
{ 
    ctx.Request.Scheme = "https"; 
    ctx.Request.Host = new HostString("xxx.com");
    ctx.Request.PathBase = new PathString("/identity");
    await next(); 
});

and for now my problem solved. i wont mark this solution as answer since i dont have any idea if this is the standard solution and best practice.