1

I am trying to add a subdirectory to my identity server, so I can use it with nginx.

To note, this is an identity server with the UI, see (quickstart ui)

After perusing the github issues for identity server, I managed to find the code to actually add the subdirectory.

Here is my configure:

public void Configure(IApplicationBuilder app)
{
    if (Environment.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.Map("/auth", app =>
    {
        app.UseRouting();

        app.UseStaticFiles();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
            endpoints.MapRazorPages();
        });


        app.UseIdentityServer();
    });           
}

However, when I navigate to http://xxx:8888/auth/account/login and attempt to login and receive an identity cookie, the URL stays the same and I am presented with a blank screen and no cookies. What should happen is that I should be redirected back to the homepage with a particular user logged in.

This seems to happen only when I add a subdirectory.

To note, the well known endpoints work fine when getting an access token as password or resource owner with the /auth.

Here is my configuration services, is there something missing in here?:

public void ConfigureServices(IServiceCollection services)
{
    string connectionString = Configuration.GetConnectionString("AzureConnection");
    var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;

    services.AddCors(options =>
    {
        options.AddPolicy("CorsPolicy",
            builder => builder.AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());
    });

    services.AddControllersWithViews().AddRazorRuntimeCompilation();

    services.AddRazorPages()
        .AddRazorPagesOptions(options => 
            {                        
                options.Conventions.AuthorizeAreaFolder("Identity", "/Account/Manage");
            });

    services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly)));
    services.AddDbContext<ConfigurationDbContext>(options => options.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly)));

    services.AddIdentity<ApplicationUser, IdentityRole>(options =>
    {
        options.SignIn.RequireConfirmedEmail = true;
    })
        .AddEntityFrameworkStores<IdentityDbContext>()
        .AddDefaultTokenProviders();

    services.AddAuthentication()
        .AddOpenIdConnect("azuread", "Azure AD", options => Configuration.Bind("AzureAd", options));

    services.Configure<OpenIdConnectOptions>("azuread", options =>
    {
        options.GetClaimsFromUserInfoEndpoint = true;
        options.SaveTokens = true;
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.Scope.Add("email");
        options.Events = new OpenIdConnectEvents()
        {
            OnRedirectToIdentityProviderForSignOut = context =>
            {
                context.HandleResponse();
                context.Response.Redirect("/Account/Logout");
                return Task.FromResult(0);
            }
        };
    });

    var builder = services.AddIdentityServer(options =>
    {
        options.IssuerUri = "http://xxx:8888"; 
        options.PublicOrigin = "http://xxx:8888";

        options.Events.RaiseErrorEvents = true;
        options.Events.RaiseInformationEvents = true;
        options.Events.RaiseFailureEvents = true;
        options.Events.RaiseSuccessEvents = true;
        options.UserInteraction.LoginUrl = "/Account/Login";
        options.UserInteraction.LogoutUrl = "/Account/Logout";

        options.Authentication = new IdentityServer4.Configuration.AuthenticationOptions()
        {
            CookieLifetime = TimeSpan.FromHours(10), // ID server cookie timeout set to 10 hours
            CookieSlidingExpiration = true
        };
    })
    .AddConfigurationStore(options =>
    {
        options.ConfigureDbContext = b => b.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
    })
    .AddOperationalStore(options =>
    {
        options.ConfigureDbContext = b => b.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(migrationsAssembly));
        options.EnableTokenCleanup = true;
    })
    .AddAspNetIdentity<ApplicationUser>();
}

This is actually availiable to test as its on a VM with a public URL upon request.

user1574598
  • 3,771
  • 7
  • 44
  • 67

1 Answers1

1

My first observation is that you should place the various app.UseXXXX statements before the App.Map method. I also rearranged the middlewares in the code below. 

public void Configure(IApplicationBuilder app)
{
    if (Environment.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseStaticFiles();

    app.UseRouting();

    app.UseIdentityServer();
    app.UseAuthorization();

    app.Map("/auth", app =>
    {
        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
            endpoints.MapRazorPages();
        });
});

}

Also, UseIdentityServer includes a call to UseAuthentication, so it’s not necessary to have both.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thanks for the answer. I have added the forwarding headers middleware for `nginx` since this post, so would this go outside the `Map` method too? Furthermore, I have somewhat solved the subdirectory issue but removing the `[ValidateAntiForgeryToken]` attributes that the `Login` and `Logout` methods were using in the `AccountController.cs`. Also, I had to add a basepath to all the `css` and `javascript` sources for everything to look and function as it should. – user1574598 Apr 21 '20 at 08:26
  • 1
    You should put most middlewares outside the Map method, because the point is that most requests to the system should pass through them, then they would be active for all requests to the application. The ValidateAntiForgeryToken method is only relevant for your POST/PUT methods, and not for your normal GET methods. The last question is why do you need to use App.App at all? I would remove it and just use the app.UseEndpoints(...). method. – Tore Nestenius Apr 21 '20 at 12:10
  • I could just use the `app.UsePathBase(new PathString("/auth"))` and not bother the `Map`, but the reason I need a subdirectory is because of `nginx`, but I am still concerened about having to comment out `[ValidateAntiForgeryToken]` on the POST Login and Logout methods as it feels hacky just to get `IDS` running with a simple subdirectory. Would you have any idea why these need to be ommited for it to work. – user1574598 Apr 21 '20 at 14:00
  • Still a bit confused about why you need to use UsePatBase and mapping of /auth, what do you use nginx for? as a proxy in front of it? could it be that the proxy terminates HTTPS and that's the reason for the ValidateAntiForgeryToken? Cookies are often marked with the secure attribute and that means they are not meant to be sent over HTTP, only HTTPS – Tore Nestenius Apr 21 '20 at 15:44
  • Yes `nginx` is a proxy with `ssl` configured and sits in front of my microservices, and Identity Server is configured as a location of `/auth` hence why I need it to be added to the basepath. Ah okay so you think its because of `HTTPS` for the attributes then? I have put some middleware that logs all the requests and the `HTTPS` scheme is being sent in the headers, and my discovery docs are all `HTTPS`. Its strange how it does send the cookies ONLY if I do NOT use a subdirectory, meaning `https://xxx/account/login`. It doesn't like `https://xxx/auth/account/login`. – user1574598 Apr 21 '20 at 16:11
  • 1
    Perhaps you need to set the Path attribute when setting the cookies? Do check the cookies when they are set, perhaps they are restricted to only /auth path and not the other paths? – Tore Nestenius Apr 21 '20 at 18:45
  • I have just cleared all my cookies and gone to `/auth/account/login`. The first cookie to be set is indeed a `.AspNetCode.Antiforgery` session cookie with a path of `/auth` and `Secure` set to `false`. As soon as I login as Bob Smith, I then get a `.AspNetCore.Identity.Application` session cookie (think this is the one with all the claims in it) with a path of `/auth` and `Secure` set to `true`. Both of these are `true` for `HttpOnly`. Also, I have an `idsrv.session` which has a path of `/` with `Secure` set to `true`. I can't find anything that relates to cookie paths in `startup` – user1574598 Apr 22 '20 at 09:30
  • 1
    try this one? https://stackoverflow.com/questions/47296934/how-to-set-path-for-asp-net-core-identity-cookie – Tore Nestenius Apr 22 '20 at 12:39
  • Feel free to upvote this overall answer if you like to – Tore Nestenius Apr 22 '20 at 12:39
  • The cookie Path issue should only be a thing if you notice that cookies are not always included in every request from the browser. you can always inspect the requests and responses using Fiddler and also do look in the F12 browser tools and see what cookies are stored for your domain. – Tore Nestenius Apr 22 '20 at 12:56
  • Thanks for the link and the insight into cookies. I'll continue investigating - yes I gave you an upvote early on, would give another if I could :-) Cheers. – user1574598 Apr 23 '20 at 10:39