2

We're trying to deploy IdentityServer4 behind a reverse proxy. The discovery document returns local urls e.g.

https://xxx.local/connect/token

Where we need 

https://xxx.domain.com/connect/token

The IdentityServer docs point us to this github page. However, when we configure the middleware as described we see no changes.

var options = new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
};
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
app.UseForwardedHeaders(options);

A similar setup is found on this github page. The presented solution uses nginx, so perhaps our iis config is off.

In IIS for the proxy:

enter image description here

<serverVariables>
     <set name="HTTP_X_ORIGINAL_REMOTE_ADDR" value="{REMOTE_ADDR}" />
     <set name="HTTP_X_FORWARDED_PROTO" value="https" />
</serverVariables>

Any help would be appreciated.

ndoes
  • 667
  • 5
  • 16
  • FYI: URLs in discovery document depend on request URL by default. To change this behaviour, check "Issuer validation" section of my answer https://stackoverflow.com/a/44483624/5112433. – Ilya Chumakov Jun 29 '17 at 11:34
  • I tried this. It changes the "issuer" in the response, but the rest of the urls are still local. – ndoes Jun 29 '17 at 14:08
  • We have the same problem. – chrisdrobison Jul 14 '17 at 22:53
  • @chrisdrobison We actually managed to fix this by disabling the 'Reverse rewrite host in response headers' on the proxy. You might wanna try that. – ndoes Jul 18 '17 at 11:49
  • We figured it out eventually, but we had to send TLS all the way through – chrisdrobison Jul 19 '17 at 15:12
  • @chrisdrobison can you please provide some details on how you achieved it? I face a simila problem. Thanks in advance. – Ricky Stam Oct 06 '17 at 20:22
  • 1
    @RickyStam We had the proxy forward all the headers and enabled SSL all the way to the hosting web servers. That seemed to work. However, I ran into this today: http://amilspage.com/set-identityserver4-url-behind-loadbalancer/. This way is much simpler and more configurable. They just released v2 which makes all of this a moot point anyway since you can now config the public origin like you could in idsrv3. – chrisdrobison Oct 07 '17 at 18:26

2 Answers2

5

Inside of IDS start up where you initiate IDS try the following code

var builder = services.AddIdentityServer(options =>
        {
            ...


            options.PublicOrigin = "https://domainName.com";// <= try adding this!

           ...




        })

This will force your discover endpoint to be your public IP. Let me know if that works. I

Larry
  • 365
  • 4
  • 12
  • Your lonely answer helped set the correct RedirectUri for our private IdP server succesfully when we used an external auth provider, thanks! – andy May 07 '19 at 15:27
4

Update for 2020 (IdentityServer4 v4.x): PublicOrigin property was removed.

See: https://github.com/IdentityServer/IdentityServer4/issues/4535

riskeez
  • 61
  • 4