AddAuthentication with AddOpenIdConnect, and webapp behind a proxy produce different callback URIs depending on client side rendering or server side rendering #57916
Labels
area-security
Needs: Author Feedback
The author of this issue needs to respond in order for us to continue investigating this issue.
Needs: Repro
Indicates that the team needs a repro project to continue the investigation on this issue
Is there an existing issue for this?
Describe the bug
The environment have a reverse proxy server (yarp) (front-end facing), with an identity server (using OpenIddict) and a web app (Blazor). All nodes runs on docker images. I have two solutions for the web app. One is client side rendering and the other is server side rendering (dotnet 8). The proxy server forward headers to the nodes behind, and each node behind is configured to handle the forwarded headers, i.e.
Both web apps are identical with the core logic and configuration, i.e.
The login path works great, with the correct callback login URI (my.domain.net/callback/login) regardless of client side rendering or server side rendering. The logout path differs. It has the correct callback logout URI (my.domain.net/callback/logout) with the client side rendering solution, but wrong callback logout URI (my.docker.node.host/callback/logout) with the server side rendering solution (I'm running one solution at a time, on the same docker host, i.e my.docker.node.host). I have no idea why it should differ, since the environments are identical, with the only difference is that one solution is client side rendering and the other is server side rendering. And even more confusing is that both solutions have the correct callback login.
I also verified the difference by setting a break point at the
OnRemoteSignOut
event, and exploring thecontext
object. TheHost
attribute with the request to the identity server havemy.docker.node.host
value, and not the expectedmy.domain.net
value when running the server side rendering solution.Expected Behavior
That the forwarded headers with host information should apply to the HttpContext Host value, and be reflected in the produced callback URI given to the Identity Server. This behavior is correct in both solutions when login, but differs when logout. Both solutions have the same configuration, and core logic.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
Microsoft.AspNetCore.App 8.0.8, and Microsoft.NETCore.App 8.0.8
Anything else?
No response
The text was updated successfully, but these errors were encountered: