-
Notifications
You must be signed in to change notification settings - Fork 603
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes issue #1064 #1097
Fixes issue #1064 #1097
Conversation
…k behind proxies and inside Kubernetes. Fixes Sustainsys#1064
Have you checked the In ASP.NET Core another option is to add a separate middleware before |
@AndersAbel I have checked it, yes, and it has no effect, since the Saml2Handler injects the returnUrl based on it's current address, and that takes precedence over PublicOrigin (kind of a The middleware suggestion won't work in the case of https to http downgrade, if the application isn't exposed over http. Since after Sign-in you are redirected to the detected url (a http url), and if there's nothing there answering, then you just get connection failure in your web browser. Like so: |
Any ETA on this PR? |
Sorry to bump an old PR, but is there an ETA on this? I just now ran into this problem and I was able to fix it by updating the GetLocation in the AcsCommand method to swap out the BaseUrl that is found with the configured PublicOrigin, if one is configured. Similar to the fix described here. So for now, we are working off of a forked version of this repository. Would love to update to use the mainline again :) |
This shows one of the many reasons why it is time for a redesign, as planned for v3. The current target-all-platforms-all-frameworks architecture is brittle. I'm closing this as won't fix as it won't be fixed in the current architecture. |
@AndersAbel i appreciate updating this PR. Hopefully it'll help someone else if they run into this as well. I look forward to v3. I really appreciate all the work that has been done on this project! |
Saml2Handler for ASP.NET Core uses private property CurrentUri to determine where the application is running, and uses this as return url for SignIn command.
This does not work if the application is behind a reverse proxy, or running in Kubernetes or any other solution where you have TLS termination before reaching the application.
In Kubernetes, for example, the requests will be:
Browser -> TLS terminating load balancer (https://domain/path) -> Pod (http://domain/path)
The application running inside the pod will determine that its URL is http://domain/path instead of https://domain/path causing a https to http downgrade. In reverse proxy scenarios, this will also affect the domain, and replace it with the reverse proxy address, instead of the public url (see issue #1064).
The fix (and to not break backwards compatibility) is to simply provide a Func to rewrite the redirect URL.
In most scenarios, the return url should be relative, not absolute. But so as not to break backwards compatibility, the Func can be used. Optionally, a flag could be put on options to indicate if we should strip the return url down to a relative URL instead. I still think this PR provides a good hook for other uses, so it shouldn't be replaced with the flag, but the default behavior of the Notifications Func could be made to respect the flag, so we don't need to manually convert the return url to a relative URL.