How to make Asp.NET Core MVC app use external urls on Authorize redirection?

Question

I'm looking for a solution for the problem stated in question title. To be more precise - I'm running test app (asp.net core/mvc) and tunneling it to be accessible world-wide using https://ngrok.com. The command I'm using for this is:

ngrok.exe http -host-header=rewrite localhost:62274

"ngrok.exe http" is used to initialize ngrok, "-host-header=rewrite localhost:62274" changes header to allow app to be executed (since IIS checks header and block any other).

The problem I ran into is that after failed authorization (guests trying to access restricted page) [Authorize] points to internal links (ex. "http://localhost:62274/Account/Login"). This is not intended.
All of the links provided by app's Views are working properly (they use address prefix provided by ngrok). I had to fix returnUrl parameters for Login/Register but they are working flawlessly now.

I searched for answer for that problem for 2 days now. As stated before it's a test app I'm making to learn programming in .net core. The restriction is that I don't want to write my own Authorization - it's prone to my inexperience, it would require constant security updates and there's no point in reinventing the wheel, right?

Problem occurs on:

[Authorize("Admin")]
public async Task<IActionResult> DeleteDItem(int? id)

Instead of redirecting to: http://<8_random_characters>.ngrok.io/Account/Login it points to: http://localhost:62274/Account/Login

More details (this is a first question I write here EVER so I want it to be somewhat proper):
- it's a ASP.NET Core Web Application using MVS2015's default "Individual User Authentication",
- related project.json info:

"dependencies": {  
  "BundlerMinifier.Core": "2.1.258",  
  "Microsoft.ApplicationInsights.AspNetCore": "1.0.0",  
  "Microsoft.AspNet.Authentication.Google": "1.0.0-rc1-final",  
  "Microsoft.AspNetCore.Authentication.Cookies": "1.0.0",  
  "Microsoft.AspNetCore.Authentication.Facebook": "1.0.0",  
  "Microsoft.AspNetCore.Authentication.Google": "1.0.0",  
  "Microsoft.AspNetCore.Authorization": "1.0.0",  
  "Microsoft.AspNetCore.Diagnostics": "1.0.0",  
  "Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore": "1.0.0",  
  "Microsoft.AspNetCore.Identity.EntityFrameworkCore": "1.0.0",  
  ...
  "Npgsql.EntityFrameworkCore.PostgreSQL": "1.0.0"

- related parts of Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
  services.AddAuthorization(options =>
  {
    options.AddPolicy("Admin", policy => 
                               policy.RequireAuthenticatedUser());                
  });
  services.AddIdentity<ApplicationUser, IdentityRole>()
          .AddEntityFrameworkStores<ApplicationDbContext>()
          .AddDefaultTokenProviders();
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env,
                      ILoggerFactory loggerFactory)
{
  app.UseIdentity();
}

Answer 1

Update 1. ( For Original Issue Read below).

Solution 1: Make it work with IIS Now I make it work with IIS. ( not with IIS Express).

1. I publish site on specific port on local iis.

2. I used following command.

ngrok.exe http 8042 ( what ever port you choose)

make sure that you used above command not used by you. In your command you have used special -host-header=rewrite option. Now this option will rewrite host value when request get move from iis to Kerstel server. That host value is used to build login url and that create problem.

ngrok.exe http -host-header=rewrite localhost:62274

Solution 2: Make it work with IIS Express.

You still have to use same command that I have used instead of yours.

ngrok.exe http yourportnumber

Now To make it work with IIS Express you have to go to your solution root folder. You will find .vs folder over there. ( It is hidden). so you have to enable to view hidden folder as well.

Now go to .vs -> Config -> applicationhost.config

Open this file and search for sites section it will something look like this. ( I have removed many code as just you have to update binding information)

<sites>          
            <site name="WebApplication2" id="4">                
                <bindings>
                    <binding protocol="http" bindingInformation="*:12619:localhost" />
                </bindings>
            </site>           
        </sites>

Replace it with ( See I replace localhost with *)

<sites>          
            <site name="WebApplication2" id="4">                
                <bindings>
                    <binding protocol="http" bindingInformation="*:12619:*" />
                </bindings>
            </site>           
        </sites>

Note: 1. If VS already in debug mode that stop that and start again. It should work now. As It works for me.

2. Previously in comment I put that It works well with MVC5 but it is only when you use default authentication. If you use Owin pipe line and you use -host-header switch in ngrok.exe switch then you will get same error.

---

Actually I want to put this in comment but it is bit longer so I am put over here. It is reason why it is happen like this.

1. Real reason for this is it is not able to build url correctly. https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication/AuthenticationHandler.cs

In above cs file BuildRedirectUri is build login uri for it.

2. Second reason when in above when you use ngrok and you obeserve Request.Host is always localhost:<> this create problem. ( This is main culprit)

3. I tested other way using host file and it is working fine. Request.Host display correct host name.

As per my opinion and older version of MVC5 it should persist host name of ngrok provided instead of localhost. I think real issue is when request get move from IIS to Kestrel.