Hello, we have a .NET 5 application deployed to Fargate ECS container in AWS. Mostly acts as an API, but also serves up a SPA with the .NET SPA Static Files middleware. It is sitting behind an ALB that handles our HTTPS redirection for us. We are using an Okta-hosted login page, and we are running into an issue where the /authorization-code/callback request is being sent via HTTP, and when the redirect occurs, the new request to HTTPS is transformed from a POST to a GET. To my knowledge, this is not an ALB issue but happens browser-side. This gives the user a browser error stating “The information you’re about to submit is not secure”. There is a “Send anyway” button, and when clicked, we get a 500 response. In the Okta application, we have specified both http://{appUrl} and https://{appUrl} as valid callback routes. Removing the http one only gave us an error on the login page that the URL was not in the whitelist.
In an older .NET 4.7.2 application of ours, the Okta middleware allows you to specify the entire callback route, which allowed us to specify HTTPS. In the .NET 5 middleware, we can only set the CallbackPath property. Everything in our AWS setup appears to be correct, so it’s either an issue with our Okta setup, or our application code.
I’m a relative Okta newbie and I am piecing together this thing from little bits of knowledge I pick up here and there, so I’m sure there is some fundamental part of this I misunderstand. I’m happy to provide any additional info upon request.
Thanks in advance!