Facebook is recommending that I use a HTTPS redirect URL, instead of HTTP. I've been trying to find a way to configure it to generate a HTTPS URL, at the moment it's generating a HTTP URL.
https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=255162614498922&redirect_uri=http://example.com/signin-facebook&scope=&state=-x4AVtFysadfadsfsadROH6E1QJ82gv4e4j48s32K5xbmqlF-JFbE5Y2Tx_MAdSquCP6CjZjic8Ye6gwasdfdfask3PXWkyxS42Ajpks9IuumDOl6CUJsadfafsasfdasdfbfpEFUDyxJUR3fARlWc83Lysadffdsdaffsdafasdsdafx_ziTnttz
Currently it is generating: http://example.com/signin-facebook for the redirect_uri, but I'd like a HTTPS URL to redirect the user to.
Is there a way to configure it to generate a HTTPS URL?
This relates to packages Microsoft.Owin.Security and Microsoft.Owin.Security.Facebook.
Currently my OwinStart looks like this:
public class OwinStart
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Welcome")
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Configure Facebook authentication
app.UseFacebookAuthentication(new FacebookAuthenticationOptions
{
AppId = ConfigurationManager.AppSettings["FacebookAppId"],
AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
});
}
}
Also, there doesn't appear to be a way of Forcing HTTP within the FacebookAuthenticationOptions class or from the Challenge() method that instigates the redirect to Facebook:
internal class ChallengeResult : HttpUnauthorizedResult
{
// TODO: Specify an XsrfKey?
private const string XsrfKey = "SomethingHere";
public ChallengeResult(string provider, string redirectUri)
: this(provider, redirectUri, null)
{
}
public ChallengeResult(string provider, string redirectUri, string userId)
{
this.LoginProvider = provider;
this.RedirectUri = redirectUri;
this.UserId = userId;
}
public string LoginProvider { get; set; }
public string RedirectUri { get; set; }
public string UserId { get; set; }
public override void ExecuteResult(ControllerContext context)
{
var properties = new AuthenticationProperties { RedirectUri = this.RedirectUri };
if (this.UserId != null)
{
properties.Dictionary[XsrfKey] = this.UserId;
}
context.HttpContext.GetOwinContext().Authentication.Challenge(properties, this.LoginProvider);
}
}
Thanks to help from Chris Ross at Microsoft, I was able to get an answer to this question by raising the issue on Github.
It appears that the Microsoft.Owin.Security Nuget package generates the request_uri that it instructs Facebook to use based on the current request context.
In my case, I was running all of my servers over HTTP (not HTTPS) and the load balancer was handling all of the HTTPS stuff for me. IE. The load balancer was severing the SSL connection.
The way to ensure that the package generates a HTTPS is to employ middleware in the OwinStart Configuration method that is based on the x-forwarded-proto header that is forwarded from the load balancer, like so:
app.Use((context, next) =>
{
if (context.Request.Headers["x-forwarded-proto"] == "https")
{
context.Request.Scheme = "https";
}
return next();
});
// Use Cookies
// Use Facebook
So my OwinStart looks like this now:
public class OwinStart
{
public void Configuration(IAppBuilder app)
{
app.Use((context, next) =>
{
if (context.Request.Headers["x-forwarded-proto"] == "https")
{
context.Request.Scheme = "https";
}
return next();
});
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Welcome")
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Configure Facebook authentication
app.UseFacebookAuthentication(new FacebookAuthenticationOptions
{
AppId = ConfigurationManager.AppSettings["FacebookAppId"],
AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
});
}
}
来源:https://stackoverflow.com/questions/48776900/facebook-login-recommending-to-require-https-how-to-configure-http-redirect-ur