Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LINE authentication issue occurring in nginx https, #1004

Open
ahjszll opened this issue Jan 17, 2025 · 3 comments
Open

LINE authentication issue occurring in nginx https, #1004

ahjszll opened this issue Jan 17, 2025 · 3 comments
Labels
bug

Comments

@ahjszll
Copy link

ahjszll commented Jan 17, 2025
edited
Loading

The site is deployed after nginx https, and the callback uri for LINE validation uses https,https://{ip}//signin-line

Nginx proxy to http://127.0.0.1:5000

The following code seems to have an issue

src/AspNet.Security.OAuth.Line/LineAuthenticationHandler.cs

 protected override async Task<OAuthTokenResponse> ExchangeCodeAsync([NotNull] OAuthCodeExchangeContext context)
    {
        var tokenRequestParameters = new Dictionary<string, string>
        {
            ["grant_type"] = "authorization_code",
            ["code"] = context.Code,
            ["redirect_uri"] = context.RedirectUri,
            ["client_id"] = Options.ClientId,
            ["client_secret"] = Options.ClientSecret,
        };

      ...
    }

Its uses HTTP instead of HTTPS ["redirect_uri"] = context.RedirectUri

Should be transmitted
https://{ip}//signin-line

But actually
http://{ip}//signin-line

Perhaps we can specify in the options whether HTTPS is enabled or not
@ahjszll ahjszll added the bug label Jan 17, 2025
@martincostello
Copy link
Member

It's highly likely that your server isn't configured correctly to trust X-Forwarded-* headers, which means that ASP.NET Core can't "see" that it's an HTTPS request, which causes the wrong scheme to be used to build the redirect URL.

See https://learn.microsoft.com/aspnet/core/host-and-deploy/linux-nginx for further details on how to configure this.

@ahjszll
Copy link
Author

ahjszll commented Jan 17, 2025

Actually,I have already set it correctly: application.UseForwardedHeaders

   if (hostingConfig.UseProxy)
   {
       var options = new ForwardedHeadersOptions
       {
           ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
           // IIS already serves as a reverse proxy and will add X-Forwarded headers to all requests,
           // so we need to increase this limit, otherwise, passed forwarding headers will be ignored.
           ForwardLimit = 2
       };
       application.UseForwardedHeaders(options);
   }

I will double check later

But,There is something suspicious,
src/AspNet.Security.OAuth.Line/LineAuthenticationHandler.cs

protected override string BuildChallengeUrl([NotNull] AuthenticationProperties properties, [NotNull] string redirectUri)
  {
      var challengeUrl = base.BuildChallengeUrl(properties, redirectUri);
      return QueryHelpers.AddQueryString(challengeUrl, "prompt", Options.Prompt ? "consent" : string.Empty);
  }

This redirectUri is the correct address and contains https, so my UseForwardedHeaders are effective

@martincostello
Copy link
Member

It may be that your application doesn't trust the headers from an upstream proxy, so is ignoring them.
There's information about that here (the content about KnownProxies and KnownNetworks).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martincostello @ahjszll