Redirect URI Defaulting to HTTP Instead of HTTPS in ASP.NET Core with Okta OIDC Integration

Hello Okta Community,

I’m currently integrating Okta OpenID Connect (OIDC) authentication in an ASP.NET Core application. I’ve configured the Okta app settings and provided the necessary redirect URIs, but I’m running into an issue where the redirect_uri in the authentication request defaults to HTTP instead of HTTPS.

Application Configuration in Okta:

  • Sign-In Redirect URI: https://web-app.wittyhill-09cfa093.eastus.azurecontainerapps.io/authorization-code/callback
  • Sign-Out Redirect URI: https://web-app.wittyhill-09cfa093.eastus.azurecontainerapps.io/signout-callback
  • Allow Wildcard: Disabled
  • Login Initiated By: App Only

Code Configuration (ASP.NET Core):

csharp

Copy code

oidcOptions.CallbackPath = new PathString("/authorization-code/callback");
oidcOptions.SignedOutCallbackPath = new PathString("/signout-callback");
oidcOptions.ClientId = clientId;
oidcOptions.ClientSecret = clientSecret;
oidcOptions.Authority = issuer;
oidcOptions.ResponseType = "code";
oidcOptions.SaveTokens = true;
oidcOptions.Scope.Add("openid");
oidcOptions.Scope.Add("profile");
oidcOptions.Scope.Add("email");
oidcOptions.Scope.Add("roles");
oidcOptions.TokenValidationParameters = new TokenValidationParameters
{
    NameClaimType = "name",
    RoleClaimType = ClaimTypes.Role,
    ValidateIssuer = true,
};

I’ve also enforced HTTPS in the application with the following:

csharp

Copy code

services.Configure<CookiePolicyOptions>(options =>
{
    options.Secure = CookieSecurePolicy.Always;
});

Issue:

When I initiate the login flow, Okta redirects back to my app, but the redirect_uri in the authentication request URL is showing up as http://web-app.wittyhill-09cfa093.eastus.azurecontainerapps.io/authorization-code/callback instead of https.

Troubleshooting Steps Taken:

  1. Verified that HTTPS is enforced across the application.
  2. Double-checked that the correct Sign-In Redirect URI (with HTTPS) is set in the Okta application settings.
  3. Tried explicitly setting oidcOptions.CallbackPath and also considered SignedOutCallbackPath.
  4. Attempted to force HTTPS in ASP.NET Core configuration, but the redirect URI still defaults to HTTP.

Questions:

  1. Is there an additional setting in Okta or ASP.NET Core to ensure the redirect URI protocol is HTTPS?
  2. Has anyone faced this issue where the redirect URI defaults to HTTP despite HTTPS being enforced?
  3. Are there any other configurations in Okta or ASP.NET Core that I might be missing?

Thanks for any guidance on this issue! I’d appreciate any insights from the community.

This might be due to network proxies in front of your service hosting dotnet app. The redirect URI construction depends on the hosting domain/protocol which might be obscured. You might need to forward the necessary info (most likey X-Forwarded-Proto) to the service hosting your dotnet app.

Here is a writeup on this topic Configure ASP.NET Core to work with proxy servers and load balancers | Microsoft Learn

In the recommended configuration for ASP.NET Core, the app is hosted using ASP.NET Core Module (ANCM) for IIS, Nginx, or Apache. Proxy servers, load balancers, and other network appliances often obscure information about the request before it reaches the app:

  • When HTTPS requests are proxied over HTTP, the original scheme (HTTPS) is lost and must be forwarded in a header.
  • Because an app receives a request from the proxy and not its true source on the Internet or corporate network, the originating client IP address must also be forwarded in a header.

This information may be important in request processing, for example in redirects, authentication, link generation, policy evaluation, and client geolocation.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.