Reverse proxy with openid connect redirection

Question

In my application I have integrated Identity server 3 with openid-connect. On our production server our website is behind a reverse proxy which is causing problems;

When the user logs in and is redirected back by identity server, our application wants to redirect the user to his original location (the page with the AuthorizeAttribute). The problem here is that the user is redirected to the hidden url instead of the public url used by the reverse proxy.

How can I redirect the user to the public url?

Answer 1

After a long search this is the fix:

The OWIN middleware UseOpenIdConnectAuthentication has a property Notifications in the Options property. This Notifications property has a func SecurityTokenValidated. In this function you can modify the Redirect Uri.

app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
    Authority = "https://idp.io",
    ClientId = "clientid",
    RedirectUri = "https://mywebsite.io",
    ResponseType = "code id_token token",
    Scope = "openid profile",
    SignInAsAuthenticationType = "Cookies",
    UseTokenLifetime = false,
    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        SecurityTokenValidated = notification =>
        {
            notification.AuthenticationTicket.Properties.RedirectUri = RewriteToPublicOrigin(notification.AuthenticationTicket.Properties.RedirectUri);
            return Task.CompletedTask;
        }
    }
});

This is the function which rewrites the url to the public origin:

private static string RewriteToPublicOrigin(string originalUrl)
{
    var publicOrigin = ConfigurationManager.AppSettings["app:identityServer.PublicOrigin"];
    if (!string.IsNullOrEmpty(publicOrigin))
    {
        var uriBuilder = new UriBuilder(originalUrl);
        var publicOriginUri = new Uri(publicOrigin);
        uriBuilder.Host = publicOriginUri.Host;
        uriBuilder.Scheme = publicOriginUri.Scheme;
        uriBuilder.Port = publicOriginUri.Port;
        var newUrl = uriBuilder.Uri.AbsoluteUri;

        return newUrl;
    }

    return originalUrl;
}

Now the OpenIdConnect redirects the user to the public url instead of the non-public webserver url.