With google auth, how do I setup asp.net core to request https redirects when asp.net core is running http...
The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.
On the apache side, I followed a tutorial that supposedly forwards the protcol using
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
However it does not work correctly. More information below and interesting security ramifications.
Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.
I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.
Below is the only code relating to Authentication:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddGoogle(options =>
{
options.ClientId = Configuration["Authentication:Google:ClientId"];
options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
})
.AddCookie(options =>
{
options.LoginPath = "/auth/signin";
});
Note, that in my code I am NOT using app.UseHttpsRedirection();
apache asp.net-core reverse-proxy google-authentication asp.net-core-2.1
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
add a comment |
The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.
On the apache side, I followed a tutorial that supposedly forwards the protcol using
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
However it does not work correctly. More information below and interesting security ramifications.
Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.
I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.
Below is the only code relating to Authentication:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddGoogle(options =>
{
options.ClientId = Configuration["Authentication:Google:ClientId"];
options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
})
.AddCookie(options =>
{
options.LoginPath = "/auth/signin";
});
Note, that in my code I am NOT using app.UseHttpsRedirection();
apache asp.net-core reverse-proxy google-authentication asp.net-core-2.1
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
add a comment |
The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.
On the apache side, I followed a tutorial that supposedly forwards the protcol using
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
However it does not work correctly. More information below and interesting security ramifications.
Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.
I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.
Below is the only code relating to Authentication:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddGoogle(options =>
{
options.ClientId = Configuration["Authentication:Google:ClientId"];
options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
})
.AddCookie(options =>
{
options.LoginPath = "/auth/signin";
});
Note, that in my code I am NOT using app.UseHttpsRedirection();
apache asp.net-core reverse-proxy google-authentication asp.net-core-2.1
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.
On the apache side, I followed a tutorial that supposedly forwards the protcol using
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
However it does not work correctly. More information below and interesting security ramifications.
Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.
I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.
Below is the only code relating to Authentication:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddGoogle(options =>
{
options.ClientId = Configuration["Authentication:Google:ClientId"];
options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
})
.AddCookie(options =>
{
options.LoginPath = "/auth/signin";
});
Note, that in my code I am NOT using app.UseHttpsRedirection();
apache asp.net-core reverse-proxy google-authentication asp.net-core-2.1
apache asp.net-core reverse-proxy google-authentication asp.net-core-2.1
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
edited Nov 27 '18 at 17:25
Dr. A
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
asked Nov 26 '18 at 0:16
Dr. ADr. A
6991610
6991610
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:
RequestHeader set "X-Forwarded-For"
RequestHeader set "X-Forwarded-Proto" "https"
Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473317%2fwith-google-auth-how-do-i-setup-asp-net-core-to-request-https-redirects-when-as%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:
RequestHeader set "X-Forwarded-For"
RequestHeader set "X-Forwarded-Proto" "https"
Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
add a comment |
Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:
RequestHeader set "X-Forwarded-For"
RequestHeader set "X-Forwarded-Proto" "https"
Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
add a comment |
Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:
RequestHeader set "X-Forwarded-For"
RequestHeader set "X-Forwarded-Proto" "https"
Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:
RequestHeader set "X-Forwarded-For"
RequestHeader set "X-Forwarded-Proto" "https"
Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
answered Nov 27 '18 at 17:36
Dr. ADr. A
6991610
6991610
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473317%2fwith-google-auth-how-do-i-setup-asp-net-core-to-request-https-redirects-when-as%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
