We have a asp.net core app running in a container over http with a reverse proxy sitting infront of it doing https. When the OpenId redirect gets triggered for auth it sends back a http redirect url which fails as its not white listed (i think its getting this from the original request being http from the reverse proxy).
Is there a way to force https for the redirect url?
OpenID redirects are whitelisted based on the spec. Getting in the business of specifying a redirect to the authorize route and modifying it once we return is definitely something that breaks OpenID spec compliance.
Out of curiosity, is there any reason why you can’t specify the https redirect URL for the authorize route?
Are you using ASP.NET Core’s OpenID Connect package? The callback path uses the application’s base path, so you just need to set that to https, and I think you would be set.