C
C#2y ago
no >> body

❔ ASP.NET Core authorization server in Kubernetes environment

I have an authorization server created on OpenIddict library. After removing 
options.DisableTransportSecurityRequirement();
options.DisableTransportSecurityRequirement();
I've started getting errors. For example, when I want to check "https://auth.domain.com/.well-known/openid-configuration" I'm getting this: 
2023-04-24 07:14:57.098 Information - Request starting HTTP/1.1 GET http://auth.domain.com/.well-known/openid-configuration - -
2023-04-24 07:14:57.098 Debug - The request is insecure. Skipping HSTS header.
2023-04-24 07:14:57.098 Debug - The request path /.well-known/openid-configuration does not match a supported file type
2023-04-24 07:14:57.099 Debug - No candidates found for the request path '/.well-known/openid-configuration'
2023-04-24 07:14:57.099 Debug - Request did not match any endpoints
2023-04-24 07:14:57.102 Information - The response was successfully returned as a JSON document: {
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}.
2023-04-24 07:14:57.102 Information - Request finished HTTP/1.1 GET http://auth.domain.com/.well-known/openid-configuration - - - 400 168 application/json;charset=UTF-8 4.5390ms
2023-04-24 07:14:57.098 Information - Request starting HTTP/1.1 GET http://auth.domain.com/.well-known/openid-configuration - -
2023-04-24 07:14:57.098 Debug - The request is insecure. Skipping HSTS header.
2023-04-24 07:14:57.098 Debug - The request path /.well-known/openid-configuration does not match a supported file type
2023-04-24 07:14:57.099 Debug - No candidates found for the request path '/.well-known/openid-configuration'
2023-04-24 07:14:57.099 Debug - Request did not match any endpoints
2023-04-24 07:14:57.102 Information - The response was successfully returned as a JSON document: {
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}.
2023-04-24 07:14:57.102 Information - Request finished HTTP/1.1 GET http://auth.domain.com/.well-known/openid-configuration - - - 400 168 application/json;charset=UTF-8 4.5390ms
Just for context: I have such services as Traefik and Linkerd, so they also can be involved in causing this problem. I know it is almost impossible to say what I did wrong based on the provided description, but I would be glad for any tips on how I can debug it and find out the reason of this problem.
9 Replies
no >> body
no >> bodyOP2y ago
So, it looks like even when I call endpoint with https scheme, under the hood it uses http protocol Also, my middleware contains 
app.UseHttpsRedirection();
app.UseHttpsRedirection();
I found this documentation and have tried to add the same code: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1#other-proxy-server-and-load-balancer-scenarios-1 
builder.Services.Configure<ForwardedHeadersOptions>(
    options =>
    {
        options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    });
...
app.UseForwardedHeaders();
builder.Services.Configure<ForwardedHeadersOptions>(
    options =>
    {
        options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    });
...
app.UseForwardedHeaders();
After that the error changed and now I'm getting this: 
2023-04-24 08:15:18.138 Information - Request starting HTTP/1.1 GET http://auth.domain.com/.well-known/openid-configuration - -
2023-04-24 08:15:18.139 Debug - Wildcard detected, all requests with hosts will be allowed.
2023-04-24 08:15:18.139 Verbose - All hosts are allowed.
2023-04-24 08:15:18.140 Debug - The request is insecure. Skipping HSTS header.
2023-04-24 08:15:18.142 Debug - Unknown proxy: [::ffff:10.244.1.22]:47336
2023-04-24 08:15:18.143 Warning - Failed to determine the https port for redirect.
2023-04-24 08:15:18.144 Debug - The request path /.well-known/openid-configuration does not match a supported file type
2023-04-24 08:15:18.166 Debug - No candidates found for the request path '/.well-known/openid-configuration'
2023-04-24 08:15:18.166 Debug - Request did not match any endpoints
2023-04-24 08:15:18.210 Information - The response was successfully returned as a JSON document: {
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}.
2023-04-24 08:15:18.138 Information - Request starting HTTP/1.1 GET http://auth.domain.com/.well-known/openid-configuration - -
2023-04-24 08:15:18.139 Debug - Wildcard detected, all requests with hosts will be allowed.
2023-04-24 08:15:18.139 Verbose - All hosts are allowed.
2023-04-24 08:15:18.140 Debug - The request is insecure. Skipping HSTS header.
2023-04-24 08:15:18.142 Debug - Unknown proxy: [::ffff:10.244.1.22]:47336
2023-04-24 08:15:18.143 Warning - Failed to determine the https port for redirect.
2023-04-24 08:15:18.144 Debug - The request path /.well-known/openid-configuration does not match a supported file type
2023-04-24 08:15:18.166 Debug - No candidates found for the request path '/.well-known/openid-configuration'
2023-04-24 08:15:18.166 Debug - Request did not match any endpoints
2023-04-24 08:15:18.210 Information - The response was successfully returned as a JSON document: {
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}.
And the 10.244.1.22 is an inner ip of the POD where authentification server is running After adding this everything works correctly 
ApplySelfProxy();
app.UseForwardedHeaders();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseSerilogRequestLogging();
app.MapRazorPages();
app.MapDefaultControllerRoute();
app.Run();

void ApplySelfProxy()
{
    if (!System.Net.NetworkInformation.NetworkInterface.GetIsNetworkAvailable())
    {
        throw new Exception("No network available");
    }

    Logger logger = new LoggerConfiguration().WriteTo.Console().CreateLogger();

    IPHostEntry host = Dns.GetHostEntry(Dns.GetHostName());

    var options = new ForwardedHeadersOptions
    {
        ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
    };

    foreach (IPAddress address in host.AddressList)
    {
        options.KnownProxies.Add(address);
        logger.Information("Added proxy: {Address}", address);
    }

    app.UseForwardedHeaders(options);
}
ApplySelfProxy();
app.UseForwardedHeaders();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseSerilogRequestLogging();
app.MapRazorPages();
app.MapDefaultControllerRoute();
app.Run();

void ApplySelfProxy()
{
    if (!System.Net.NetworkInformation.NetworkInterface.GetIsNetworkAvailable())
    {
        throw new Exception("No network available");
    }

    Logger logger = new LoggerConfiguration().WriteTo.Console().CreateLogger();

    IPHostEntry host = Dns.GetHostEntry(Dns.GetHostName());

    var options = new ForwardedHeadersOptions
    {
        ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
    };

    foreach (IPAddress address in host.AddressList)
    {
        options.KnownProxies.Add(address);
        logger.Information("Added proxy: {Address}", address);
    }

    app.UseForwardedHeaders(options);
}
Pobiega
Pobiega2y ago
Are you using https inside the cluster too? its fairly common to let traefik apply https and run http once past the ingress app.UseHttpsRedirection(); will mess with this based on your error messages, it looks like its trying to access your .well-known/openid-configuration but not finding either a file or an endpoint that responds to that
no >> body
no >> bodyOP2y ago
I'm using service mesh. So it should be mTLS for all traffic inside node
Pobiega
Pobiega2y ago
even between traefik and your asp pod?
no >> body
no >> bodyOP2y ago
Yes, namespace for traefic and cert-manager also includes annotations for Linkerd
Pobiega
Pobiega2y ago
Alright. Unusual, but shouldn't be a problem. Forwarding headers is likely a good idea, assuming you've configured it in traefik too and then finally, what seems to be the root cause here is that the request for your .well-known/openid-configuration resource doesnt hit anything
Accord
Accord2y ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
no >> body
no >> bodyOP2y ago
Why it's unusual? I'm quite new to kubernetes, so probably doing something wrong
Accord
Accord2y ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server