Setup Identity Server 4 Reverse proxy

Question

Edit: more detailed explanation

We have the following setup:

1. NGINX reverse proxy set to do SSL offload. All internal communication goes through HTTP. The setup of the redirect is like this:

   proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection keep-alive; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Original-For $proxy_add_x_forwarded_for; proxy_set_header X-Original-Proto $scheme; proxy_cache_bypass $http_upgrade;

2. IS4 has the following setup before app.UseIdentityServer

   var fordwardedHeaderOptions = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }; fordwardedHeaderOptions.KnownNetworks.Clear(); fordwardedHeaderOptions.KnownProxies.Clear(); app.UseForwardedHeaders(fordwardedHeaderOptions);

3. On the client side RequireHttpsMetadata is being set to FALSE

4. On the IS4 side all the Clients are configured to have HTTPS addresses for "RedirectUris" and "PostLogoutRedirectUris".

5. On the Client side IdentityServerAuthenticationOptions are configured like this:

   new IdentityServerAuthenticationOptions { Authority = "https://[OAUTH_ADDRESS]", ApiName = "[API_NAME]", ApiSecret = "[API_SECRET]", RequireHttpsMetadata = false }

What actually happens is that when we try to visit one of our registered in IS4 Clients and the request is being redirected to IS4 for authentication we have "Unauthorized client" message screen. Furthermore after inspecting the query string of the redirected request we can see that the return URL is HTTP instead of HTTPS.

Please advise.

Answer 1

The default behaviour of Identity Server's discovery endpoint is to use the scheme (Http vs Https) from the request that was made to the endpoint.

Since your identity server is being hit using HTTP (since it's behind the reverse proxy) the endpoint information it's giving out will also use HTTP.

You can see this for yourself by navigating to http://[OAUTH_ADDRESS]/.well-known/openid-configuration

The latest version of Identity Server includes an origin option that allows you to force the base url to HTTPS. Use as follows:

services.AddIdentityServer(options =>
    {
        options.PublicOrigin = "https://[OAUTH_ADDRESS]";
    })

Answer 2

Your setup may vary but in case you are still on identityserver version < 2, i remember setting up RequireHeaderSymmetry = false as well worked for us

var forwardOptions = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
    RequireHeaderSymmetry = false
};

forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardOptions);

The issue has been discussed in here as well