C#•3y ago

❔ OAuth2 behind a reverse proxy won't work without UseAuthentication.

I setup a default individual auth project using .NET 7 Razor pages, I then set it up to use Google sign in, testing this app as it is in https mode worked fine, I then set the redirect header middleware, ran it in http mode with the redirect header middleware set, it would fail when redirecting back to the app after successfully signing in with

redirect_uri_mismatch

redirect_uri_mismatch

, it does however work fine when

UseAuthentication

UseAuthentication

is set (this isn't set in the default auth project), I'm not too familiar with this middleware, does anyone know how might this be affecting it in such a way where it causes the auth to work as expected when running behind a reverse proxy? And why it wouldn't be needed when running direct.

I have the project in a GH repo https://github.com/jasonalexander-ja/GoogleAuthProxy

I followed the following guides for setting up the auth and redirect headers
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-7.0

https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-7.0

TThaumanovic What's the use case for something like this? I don't follow. <:nervousowo:653990...

Jason AlexanderOP•11/2/23, 9:46 PM

I switched them, I was experimenting to try and see what it takes to get a .NET app with OAuth2 working behind a reverse proxy

Jason AlexanderOP•11/2/23, 10:02 PM

It seems if you don't at least have the forwarding header middleware setup for XForwardedProto then it will use the wrong protocol for the callback URL, further in the actual config for setting up the authentication options I can only find configuration relating to path and not the further URL or protocol; but I have at least got a working example of an oauth2 app working behind a proxy, the fact that I needed the forward headers middleware does make sense to me, but what doesn't is why it also needs the authentication middleware when running it directly does not

Jason AlexanderOP•11/2/23, 10:34 PM

Yeah it seems to be the case accross browsers and devices, and I only just realised I accidently created this thing with .NET 8 by a mistake, I'll try the same in NET 7, looks like I may have found a weird quirk of .NET 8

Jason AlexanderOP•11/2/23, 10:52 PM

Really strange, I used the default generated project for .NET 7 and it too didn't add the authentication middleware, and it too worked directly

Accord•11/4/23, 1:23 AM

Was this issue resolved? If so, run

/close

/close

otherwise I will mark this as stale and this post will be archived until there is new activity.