.NET 5 app behind AWS load balancer, /authorization-code/callback redirect is changing POST to GET

Hello, we have a .NET 5 application deployed to Fargate ECS container in AWS. Mostly acts as an API, but also serves up a SPA with the .NET SPA Static Files middleware. It is sitting behind an ALB that handles our HTTPS redirection for us. We are using an Okta-hosted login page, and we are running into an issue where the /authorization-code/callback request is being sent via HTTP, and when the redirect occurs, the new request to HTTPS is transformed from a POST to a GET. To my knowledge, this is not an ALB issue but happens browser-side. This gives the user a browser error stating “The information you’re about to submit is not secure”. There is a “Send anyway” button, and when clicked, we get a 500 response. In the Okta application, we have specified both http://{appUrl} and https://{appUrl} as valid callback routes. Removing the http one only gave us an error on the login page that the URL was not in the whitelist.

In an older .NET 4.7.2 application of ours, the Okta middleware allows you to specify the entire callback route, which allowed us to specify HTTPS. In the .NET 5 middleware, we can only set the CallbackPath property. Everything in our AWS setup appears to be correct, so it’s either an issue with our Okta setup, or our application code.

I’m a relative Okta newbie and I am piecing together this thing from little bits of knowledge I pick up here and there, so I’m sure there is some fundamental part of this I misunderstand. I’m happy to provide any additional info upon request.

Thanks in advance!

You should have callbackURLs configured with https://... in your Okta app configuration. Inspect, what is a parameter callbackUri in /authorize call, which your browser makes to Okta. It should be https://your.app.url/authorization-code/callback

It is http://your.app.url/authorization-code/callback, even though I am initially navigating to the site via https. As stated in my OP, I have both http://your.app.url/authorization-code/callback and https://your.app.url/authorization-code/callback set as callback routes in my app config, however if I remove the http one, I get this error: Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings.

As I said above:

  1. validate what is the parameter redirectUri which is sent to Okta during a call to /authorize
  2. it has to be in redirectURL configured in Okta UI for your app

Based on 2 above you should be able to fix your app configuration at hosting site

Thank you for the input all, turns out all I needed to do was set up header forwarding on my backend.

app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedProto });

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.