Okta redirect over https

I have an ASP.NET Core app running in a container over http with a load balancer/reverse proxy sitting in front of it configured to run over https. Everything is running within a VPC in AWS. The issue I have is that the redirect from Okta after authentication is over http not https: i.e.,

https://.okta.com/oauth2/default/v1/authorize?client_id=XXXXX&redirect_uri=http://

even though the original request was from https://

Not sure where the issue is here. Is it an Okta setting I missed, is it the load balancer or within the app although everything works fine over https with a self signed certificate when I run the app locally on my dev machine. Any help much appreciated.

Is the redirect URI you’ve set in your app config set as http:// or https://?

Also, regarding having a reverse proxy in front of a .NET app, you may want to check out this blog post.

It works over https when I run it locally on my machine and authenticates against my Okta https endpoint perfectly. It’s an ASP.NET Core app…In the appsettings.json I’m using:

“Okta”: {
“OktaDomain”: “https://XXXX.okta.com/”,
“ClientId”: “XXXXX”,
“ClientSecret”: “XXXX”
}

In startup.cs I’m using:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseSession();
app.UseEndpoints(endpoints =>
{
endpoints.MapHealthChecks("/healthcheck");
endpoints.MapControllers();
endpoints.MapRazorPages();
});
}

I’ve tried implementing the SameSite fix you mentioned in the post but after logging in to Okta it still redirects to http not https. I removed the http entry for the Okta Login redirect URIs just leaving the https entry and I get the Okta 400 error bad request? What is going on? Why does it redirect over http when the site is running over https. The site running in the Docker container is running over http. Any help much appreciated.

Can you take a look at the answer in this SO post, about ensuring that your app is considering forwarded headers, as well as Microsoft’s article on using .Net Core with a lb/proxy, to see if these suggestions help?