ASP.NET Core 2.0, Kubernetes, https missing in reply address?
I have an ASP.NET Core 2.0 web application deployed to a Kubernetes cluster. The application is using Azure AD for authentication to some protected pages. The Kubernetes cluster is setup with a Nginx ingress controller and Let's encrypt to support https.
I can access https://x.eastus.cloudapp.azure.com with no problem and by clicking on a link on the site I'm directed to https://x.eastus.cloudapp.azure.com/link, also with no problems.
But, when I click on a link, which requires a logged in user, I get:
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply address 'http://x.eastus.cloudapp.azure.com/signin-oidc' does not match the reply addresses configured for the application: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'. More details: not specified
Note that URL above misses https and that is the problem.
I have registered "https://x.eastus.cloudapp.azure.com/signin-oidc" as a reply URL for the application in Azure AD.
But, I don't understand why the reply url used when logging in is missing https.
If I deploy the exact same application to an Azure Web App, I don't get this problem.
What could be the issue?
This is my Ingress YAML file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: x-ingress
annotations:
kubernetes.io/ingress.class: nginx
# Add to generate certificates for this ingress
kubernetes.io/tls-acme: 'true'
spec:
rules:
- host: x.eastus.cloudapp.azure.com
http:
paths:
- path: /
backend:
serviceName: x-service
servicePort: 80
tls:
# With this configuration kube-lego will generate a secret called `x-tls-secret`
# for the URL `x.eastus.cloudapp.azure.com`
- hosts:
- "x.eastus.cloudapp.azure.com"
secretName: x-tls-secret
I have have the following code in Startup.cs:
public void ConfigureServices(IServiceCollection services)
services.Configure<ForwardedHeadersOptions>(options =>
ForwardedHeaders.XForwardedProto;
);
services.Configure<MvcOptions>(options =>
options.Filters.Add(new RequireHttpsAttribute());
);
services.AddAuthentication(sharedOptions =>
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
)
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
services.AddMvc();
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
app.UseForwardedHeaders();
app.UseStaticFiles();
app.UseAuthentication();
nginx asp.net-core kubernetes
azure-active-directory kubernetes-ingress asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
add a comment |
I have an ASP.NET Core 2.0 web application deployed to a Kubernetes cluster. The application is using Azure AD for authentication to some protected pages. The Kubernetes cluster is setup with a Nginx ingress controller and Let's encrypt to support https.
I can access https://x.eastus.cloudapp.azure.com with no problem and by clicking on a link on the site I'm directed to https://x.eastus.cloudapp.azure.com/link, also with no problems.
But, when I click on a link, which requires a logged in user, I get:
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply address 'http://x.eastus.cloudapp.azure.com/signin-oidc' does not match the reply addresses configured for the application: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'. More details: not specified
Note that URL above misses https and that is the problem.
I have registered "https://x.eastus.cloudapp.azure.com/signin-oidc" as a reply URL for the application in Azure AD.
But, I don't understand why the reply url used when logging in is missing https.
If I deploy the exact same application to an Azure Web App, I don't get this problem.
What could be the issue?
This is my Ingress YAML file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: x-ingress
annotations:
kubernetes.io/ingress.class: nginx
# Add to generate certificates for this ingress
kubernetes.io/tls-acme: 'true'
spec:
rules:
- host: x.eastus.cloudapp.azure.com
http:
paths:
- path: /
backend:
serviceName: x-service
servicePort: 80
tls:
# With this configuration kube-lego will generate a secret called `x-tls-secret`
# for the URL `x.eastus.cloudapp.azure.com`
- hosts:
- "x.eastus.cloudapp.azure.com"
secretName: x-tls-secret
I have have the following code in Startup.cs:
public void ConfigureServices(IServiceCollection services)
services.Configure<ForwardedHeadersOptions>(options =>
ForwardedHeaders.XForwardedProto;
);
services.Configure<MvcOptions>(options =>
options.Filters.Add(new RequireHttpsAttribute());
);
services.AddAuthentication(sharedOptions =>
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
)
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
services.AddMvc();
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
app.UseForwardedHeaders();
app.UseStaticFiles();
app.UseAuthentication();
nginx asp.net-core kubernetes
azure-active-directory kubernetes-ingress asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
You need forwarders. docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…
– Tratcher
Apr 13 '18 at 23:43
@Tratcher Do you have any more details on how to configure forwarders for this scenario? I have added some of the code referred to in the article you linked to and edited my original post to include that code. But, I still get the same error.
– OlavT
Apr 16 '18 at 13:43
docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… talks about setting the x-forwarded-* headers for nginx. Not show how that maps to kubernetes.
– Tratcher
Apr 16 '18 at 15:10
That is pretty much what I did and I'm using Nginx with Kubernetes.
– OlavT
Apr 16 '18 at 16:53
add a comment |
I have an ASP.NET Core 2.0 web application deployed to a Kubernetes cluster. The application is using Azure AD for authentication to some protected pages. The Kubernetes cluster is setup with a Nginx ingress controller and Let's encrypt to support https.
I can access https://x.eastus.cloudapp.azure.com with no problem and by clicking on a link on the site I'm directed to https://x.eastus.cloudapp.azure.com/link, also with no problems.
But, when I click on a link, which requires a logged in user, I get:
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply address 'http://x.eastus.cloudapp.azure.com/signin-oidc' does not match the reply addresses configured for the application: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'. More details: not specified
Note that URL above misses https and that is the problem.
I have registered "https://x.eastus.cloudapp.azure.com/signin-oidc" as a reply URL for the application in Azure AD.
But, I don't understand why the reply url used when logging in is missing https.
If I deploy the exact same application to an Azure Web App, I don't get this problem.
What could be the issue?
This is my Ingress YAML file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: x-ingress
annotations:
kubernetes.io/ingress.class: nginx
# Add to generate certificates for this ingress
kubernetes.io/tls-acme: 'true'
spec:
rules:
- host: x.eastus.cloudapp.azure.com
http:
paths:
- path: /
backend:
serviceName: x-service
servicePort: 80
tls:
# With this configuration kube-lego will generate a secret called `x-tls-secret`
# for the URL `x.eastus.cloudapp.azure.com`
- hosts:
- "x.eastus.cloudapp.azure.com"
secretName: x-tls-secret
I have have the following code in Startup.cs:
public void ConfigureServices(IServiceCollection services)
services.Configure<ForwardedHeadersOptions>(options =>
ForwardedHeaders.XForwardedProto;
);
services.Configure<MvcOptions>(options =>
options.Filters.Add(new RequireHttpsAttribute());
);
services.AddAuthentication(sharedOptions =>
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
)
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
services.AddMvc();
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
app.UseForwardedHeaders();
app.UseStaticFiles();
app.UseAuthentication();
nginx asp.net-core kubernetes
azure-active-directory kubernetes-ingress asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
I have an ASP.NET Core 2.0 web application deployed to a Kubernetes cluster. The application is using Azure AD for authentication to some protected pages. The Kubernetes cluster is setup with a Nginx ingress controller and Let's encrypt to support https.
I can access https://x.eastus.cloudapp.azure.com with no problem and by clicking on a link on the site I'm directed to https://x.eastus.cloudapp.azure.com/link, also with no problems.
But, when I click on a link, which requires a logged in user, I get:
Sign in
Sorry, but we’re having trouble signing you in.
AADSTS50011: The reply address 'http://x.eastus.cloudapp.azure.com/signin-oidc' does not match the reply addresses configured for the application: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'. More details: not specified
Note that URL above misses https and that is the problem.
I have registered "https://x.eastus.cloudapp.azure.com/signin-oidc" as a reply URL for the application in Azure AD.
But, I don't understand why the reply url used when logging in is missing https.
If I deploy the exact same application to an Azure Web App, I don't get this problem.
What could be the issue?
This is my Ingress YAML file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: x-ingress
annotations:
kubernetes.io/ingress.class: nginx
# Add to generate certificates for this ingress
kubernetes.io/tls-acme: 'true'
spec:
rules:
- host: x.eastus.cloudapp.azure.com
http:
paths:
- path: /
backend:
serviceName: x-service
servicePort: 80
tls:
# With this configuration kube-lego will generate a secret called `x-tls-secret`
# for the URL `x.eastus.cloudapp.azure.com`
- hosts:
- "x.eastus.cloudapp.azure.com"
secretName: x-tls-secret
I have have the following code in Startup.cs:
public void ConfigureServices(IServiceCollection services)
services.Configure<ForwardedHeadersOptions>(options =>
ForwardedHeaders.XForwardedProto;
);
services.Configure<MvcOptions>(options =>
options.Filters.Add(new RequireHttpsAttribute());
);
services.AddAuthentication(sharedOptions =>
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
)
.AddAzureAd(options => Configuration.Bind("AzureAd", options))
.AddCookie();
services.AddMvc();
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
app.UseForwardedHeaders();
app.UseStaticFiles();
app.UseAuthentication();
nginx asp.net-core kubernetes
azure-active-directory kubernetes-ingress nginx asp.net-core kubernetes
azure-active-directory kubernetes-ingress asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
edited Apr 16 '18 at 12:46
OlavT
asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
asked Apr 13 '18 at 15:08
OlavTOlavT
6751824
6751824
You need forwarders. docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…
– Tratcher
Apr 13 '18 at 23:43
@Tratcher Do you have any more details on how to configure forwarders for this scenario? I have added some of the code referred to in the article you linked to and edited my original post to include that code. But, I still get the same error.
– OlavT
Apr 16 '18 at 13:43
docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… talks about setting the x-forwarded-* headers for nginx. Not show how that maps to kubernetes.
– Tratcher
Apr 16 '18 at 15:10
That is pretty much what I did and I'm using Nginx with Kubernetes.
– OlavT
Apr 16 '18 at 16:53
add a comment |
You need forwarders. docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…
– Tratcher
Apr 13 '18 at 23:43
@Tratcher Do you have any more details on how to configure forwarders for this scenario? I have added some of the code referred to in the article you linked to and edited my original post to include that code. But, I still get the same error.
– OlavT
Apr 16 '18 at 13:43
docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… talks about setting the x-forwarded-* headers for nginx. Not show how that maps to kubernetes.
– Tratcher
Apr 16 '18 at 15:10
That is pretty much what I did and I'm using Nginx with Kubernetes.
– OlavT
Apr 16 '18 at 16:53
You need forwarders. docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…
– Tratcher
Apr 13 '18 at 23:43
You need forwarders. docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…
– Tratcher
Apr 13 '18 at 23:43
@Tratcher Do you have any more details on how to configure forwarders for this scenario? I have added some of the code referred to in the article you linked to and edited my original post to include that code. But, I still get the same error.
– OlavT
Apr 16 '18 at 13:43
@Tratcher Do you have any more details on how to configure forwarders for this scenario? I have added some of the code referred to in the article you linked to and edited my original post to include that code. But, I still get the same error.
– OlavT
Apr 16 '18 at 13:43
docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… talks about setting the x-forwarded-* headers for nginx. Not show how that maps to kubernetes.
– Tratcher
Apr 16 '18 at 15:10
docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… talks about setting the x-forwarded-* headers for nginx. Not show how that maps to kubernetes.
– Tratcher
Apr 16 '18 at 15:10
That is pretty much what I did and I'm using Nginx with Kubernetes.
– OlavT
Apr 16 '18 at 16:53
That is pretty much what I did and I'm using Nginx with Kubernetes.
– OlavT
Apr 16 '18 at 16:53
add a comment |
1 Answer
1
active
oldest
votes
Add a custom Middleware in the Configure method to perform the manual http-https redirection
app.Use(async (context, next) =>
context.Request.Headers["X-Forwarded-Proto"] == Uri.UriSchemeHttps)
await next();
else
string queryString = context.Request.QueryString.HasValue ? context.Request.QueryString.Value : string.Empty;
var https = "https://" + context.Request.Host + context.Request.Path + queryString;
context.Response.Redirect(https);
);
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f49820108%2fasp-net-core-2-0-kubernetes-https-missing-in-reply-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Add a custom Middleware in the Configure method to perform the manual http-https redirection
app.Use(async (context, next) =>
context.Request.Headers["X-Forwarded-Proto"] == Uri.UriSchemeHttps)
await next();
else
string queryString = context.Request.QueryString.HasValue ? context.Request.QueryString.Value : string.Empty;
var https = "https://" + context.Request.Host + context.Request.Path + queryString;
context.Response.Redirect(https);
);
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
add a comment |
Add a custom Middleware in the Configure method to perform the manual http-https redirection
app.Use(async (context, next) =>
context.Request.Headers["X-Forwarded-Proto"] == Uri.UriSchemeHttps)
await next();
else
string queryString = context.Request.QueryString.HasValue ? context.Request.QueryString.Value : string.Empty;
var https = "https://" + context.Request.Host + context.Request.Path + queryString;
context.Response.Redirect(https);
);
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
add a comment |
Add a custom Middleware in the Configure method to perform the manual http-https redirection
app.Use(async (context, next) =>
context.Request.Headers["X-Forwarded-Proto"] == Uri.UriSchemeHttps)
await next();
else
string queryString = context.Request.QueryString.HasValue ? context.Request.QueryString.Value : string.Empty;
var https = "https://" + context.Request.Host + context.Request.Path + queryString;
context.Response.Redirect(https);
);
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
Add a custom Middleware in the Configure method to perform the manual http-https redirection
app.Use(async (context, next) =>
context.Request.Headers["X-Forwarded-Proto"] == Uri.UriSchemeHttps)
await next();
else
string queryString = context.Request.QueryString.HasValue ? context.Request.QueryString.Value : string.Empty;
var https = "https://" + context.Request.Host + context.Request.Path + queryString;
context.Response.Redirect(https);
);
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
answered Nov 13 '18 at 12:16
Natthapol VanasrivilaiNatthapol Vanasrivilai
8819
8819
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f49820108%2fasp-net-core-2-0-kubernetes-https-missing-in-reply-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You need forwarders. docs.microsoft.com/en-us/aspnet/core/host-and-deploy/…
– Tratcher
Apr 13 '18 at 23:43
@Tratcher Do you have any more details on how to configure forwarders for this scenario? I have added some of the code referred to in the article you linked to and edited my original post to include that code. But, I still get the same error.
– OlavT
Apr 16 '18 at 13:43
docs.microsoft.com/en-us/aspnet/core/host-and-deploy/… talks about setting the x-forwarded-* headers for nginx. Not show how that maps to kubernetes.
– Tratcher
Apr 16 '18 at 15:10
That is pretty much what I did and I'm using Nginx with Kubernetes.
– OlavT
Apr 16 '18 at 16:53