OpenIdConnect authentication doesn't use PathBase
drauch opened this issue · comments
Hi!
We migrated from ASP.NET Core 1.1.x to 2.1.x and run into problems with our OpenIdConnect middleware.
Before we hosted our application at https://server/WebApp/
, which is no longer possible in ASP.NET Core 2.1.x. We must host it at https://server/
now and use UsePathBase("/WebApp")
. Unfortunately, OpenIdConnect now changed the return URL parameter from https://server/WebApp/signin-oidc
to https://server/signin-oidc
which doesn't work.
How to tell OpenIdConnect to use the correct return URL?
What order did you put them in Startup.Configure?
UsePathBase() is the very first entry in the pipeline
Can you share Startup.Configure?
What component requires authentication? MVC? Then the order should be:
UsePathBase
UseAuthentication
UseMvc
I cannot share my Startup
as it is proprietary code and moreover it is distributed amongst multiple files. But I can definitely confirm that the order is UsePathBase/UseAuthentication/UseMvc
I just re-verified this is working in our tests and samples. There's not much else we can do for you without an app that can reproduce your issue.
After further investigation we found the problem: the page is - although accessible via the PathBase - ALSO accessible via the URL without the PathBase. We used the non-PathBase-URL in our web tests, which worked fine for tests which do not have to authenticate, it fails for anything else.
It is kinda weird, that the application responds to non-PathBase-using URLs as well. I've found aspnet/HttpAbstractions#893 which gives some explanation ... still, this is no real replacement for the UseUrls()
hosting which allowed access only via the given URL ... is there a way to get the old behavior back?
UseUrls behaved the same with prior versions of Kestrel, it did not reject requests based on path.
Consider using the Map example in the linked issue as an exclusive alternative.