With google auth, how do I setup asp.net core to request https redirects when asp.net core is running http...












-1















enter image description here



The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.



On the apache side, I followed a tutorial that supposedly forwards the protcol using



RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}


However it does not work correctly. More information below and interesting security ramifications.



Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.



I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.



Below is the only code relating to Authentication:



services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddGoogle(options =>
{
options.ClientId = Configuration["Authentication:Google:ClientId"];
options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
})
.AddCookie(options =>
{
options.LoginPath = "/auth/signin";
});


Note, that in my code I am NOT using app.UseHttpsRedirection();










share|improve this question





























    -1















    enter image description here



    The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.



    On the apache side, I followed a tutorial that supposedly forwards the protcol using



    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}


    However it does not work correctly. More information below and interesting security ramifications.



    Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.



    I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.



    Below is the only code relating to Authentication:



    services.AddAuthentication(options =>
    {
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    })
    .AddGoogle(options =>
    {
    options.ClientId = Configuration["Authentication:Google:ClientId"];
    options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
    })
    .AddCookie(options =>
    {
    options.LoginPath = "/auth/signin";
    });


    Note, that in my code I am NOT using app.UseHttpsRedirection();










    share|improve this question



























      -1












      -1








      -1








      enter image description here



      The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.



      On the apache side, I followed a tutorial that supposedly forwards the protcol using



      RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}


      However it does not work correctly. More information below and interesting security ramifications.



      Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.



      I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.



      Below is the only code relating to Authentication:



      services.AddAuthentication(options =>
      {
      options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      })
      .AddGoogle(options =>
      {
      options.ClientId = Configuration["Authentication:Google:ClientId"];
      options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
      })
      .AddCookie(options =>
      {
      options.LoginPath = "/auth/signin";
      });


      Note, that in my code I am NOT using app.UseHttpsRedirection();










      share|improve this question
















      enter image description here



      The above configuration has an asp.net core app using google authentication. But for some reason the authentication redirect to Google was sending a redirect URI using http instead of https. No matter where I look, there doesn't seem to have a way to change this in the middleware.



      On the apache side, I followed a tutorial that supposedly forwards the protcol using



      RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}


      However it does not work correctly. More information below and interesting security ramifications.



      Now, since kestrel is running http it defaults to setting the "redirect URI" for google authentication to use the http protocol.



      I have the above scenario working with http redirect URIs. I've wiresharked this and it works with the HTTP redirect URI! Hmm, I'm only allowing https in though. So I tcpdump the interaction on my server and I find that because apache requires https, it throws an HTTP 301 moved permanently to https. Great that's what I would expect. What I didn't expect was Google to redirect to the https protocol. OK, not ideal, but it works so why am I asking? It sends the data over http first to get the 301 so I've lost encryption at that point. If someone is snooping, they can read Google's entire response. I.e. I can see google post back on http with tcpdump.



      Below is the only code relating to Authentication:



      services.AddAuthentication(options =>
      {
      options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
      })
      .AddGoogle(options =>
      {
      options.ClientId = Configuration["Authentication:Google:ClientId"];
      options.ClientSecret = Configuration["Authentication:Google:ClientSecret"];
      })
      .AddCookie(options =>
      {
      options.LoginPath = "/auth/signin";
      });


      Note, that in my code I am NOT using app.UseHttpsRedirection();







      apache asp.net-core reverse-proxy google-authentication asp.net-core-2.1






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 27 '18 at 17:25







      Dr. A

















      asked Nov 26 '18 at 0:16









      Dr. ADr. A

      6991610




      6991610
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:



          RequestHeader set "X-Forwarded-For"
          RequestHeader set "X-Forwarded-Proto" "https"


          Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473317%2fwith-google-auth-how-do-i-setup-asp-net-core-to-request-https-redirects-when-as%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:



            RequestHeader set "X-Forwarded-For"
            RequestHeader set "X-Forwarded-Proto" "https"


            Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.






            share|improve this answer




























              0














              Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:



              RequestHeader set "X-Forwarded-For"
              RequestHeader set "X-Forwarded-Proto" "https"


              Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.






              share|improve this answer


























                0












                0








                0







                Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:



                RequestHeader set "X-Forwarded-For"
                RequestHeader set "X-Forwarded-Proto" "https"


                Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.






                share|improve this answer













                Although, I'm still interested in finding a way to change the value of the Redirect URI sent to google from asp.net core using the ".AddGoogle" authentication, I was able to solve the problem by changing the apache configuration to:



                RequestHeader set "X-Forwarded-For"
                RequestHeader set "X-Forwarded-Proto" "https"


                Essentially hardcoding the protocol forced it to pass "https" to the asp.net core middleware and it now works correctly.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 27 '18 at 17:36









                Dr. ADr. A

                6991610




                6991610
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53473317%2fwith-google-auth-how-do-i-setup-asp-net-core-to-request-https-redirects-when-as%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    404 Error Contact Form 7 ajax form submitting

                    How to know if a Active Directory user can login interactively

                    Refactoring coordinates for Minecraft Pi buildings written in Python