Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
Hello,
I have .net app running in docker and nginx also running in docker container. Nginx is a reverse proxy and ssl termination. I wanted to add google/microsoft authentication, but it does not work on production. From localhost it does work.
I think this is the problem:
When I click on the login the redirect url is correctly generated using https. I'm also correctly redirected to the google and then I'm redirected back after sign in. And then it fails in .net app on this error:
AuthenticationFailureException: OAuth token endpoint failure: redirect_uri_mismatch;Description=Bad Request
I think the problem is that redirect from google arrives to nginx as https and nginx sends it to .net app as http (https vs http) and therfore there is url mismatch.
I think I have correctly set up forwarding headers and everything
This is nginx configuration:
location / {
proxy_pass http://app_site/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_cache_bypass $http_upgrade;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
}
This is program.cs
var builder = WebApplication.CreateBuilder(args);
// Configure services
...
builder.Services.AddAuthentication()
.AddGoogle(options =>
{
options.ClientId = configuration["AppSettings:Authentication:Google:ClientId"];
options.ClientSecret = configuration["AppSettings:Authentication:Google:ClientSecret"];
})
.AddMicrosoftAccount(options =>
{
options.ClientId = configuration["AppSettings:Authentication:Microsoft:ClientId"];
options.ClientSecret = configuration["AppSettings:Authentication:Microsoft:ClientSecret"];
});
;
builder.Services.AddHttpLogging(options =>
{
options.LoggingFields = HttpLoggingFields.RequestPropertiesAndHeaders;
});
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto |
ForwardedHeaders.XForwardedHost
;
// This is the important part for Docker environments:
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
// This disables the proxy check completely
options.RequireHeaderSymmetry = false;
// Allow any proxy since we're in a contained Docker environment
options.ForwardLimit = null;
});
var app = builder.Build();
app.UseForwardedHeaders();
app.UseHttpLogging();
...
this is the screenshot of the error
I have also tried forcing https in program.cs by
app.Use((context, next) =>
{
// Force HTTPS for all URL generation
context.Request.Scheme = "https";
return next();
});
It didnt help either.
I really dont know where to look and why it just does not work.
It seems like Authentication just ignores forwarded headers when validating url, or there is some other problem. I think the redirect url is correct since it gets redirected to the google and goole also approves it, and allow me to sign in
Do you have any idea whats wrong ?
Thank you
Expected Behavior
No response
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
9.0.202
Anything else?
No response