Search code examples
iisasp.net-coreidentityserver4

Configure ASP.NET Core Module to host on https instead of http for IdentityServer 4

The problem I have is when I try to host an implementation of IdentityServer4 on a IIS server that uses SSL. (Full SSL Strict)

When running my application on Kestrel alone with SSL activated it works fine and the IssuerUri and Discovery Endpoints for IdentityServer uses SSL binding. However when I host it behind ASP.NET Core Module it hosts it on http://localhost:{random port}, which in turn generates IssuerUri and Endpoints for Identityserver that are not https.

I have tried the following without success:

  1. Made sure that I have a valid certificate on the IIS website for the https binding and removed binding on port 80

  2. Tried changing the environmentvariable ASPNETCORE_URLS in web.config to point to a https address.

  3. Tried rewrite and redirect rules in web.config.

  4. Looked for settings on IISOptions (used by .UseIISIntegration()) in my startup class to bind to a specific url or change protocol.

  5. Tried to find a similar settings like RequireSSL (IdentityServer 3) or RequireHttpsMetadata in IdentityServer4.

  6. Changed the IssuerUri in IdentityServer Options in startup class hoping that it might also update the other endpoints.

I have probably missed something very obvious but right now I do not have a clue on what that might be.

Any help from the community would be greatly appreciated :-)

Program.cs code

    public static void Main(string[] args)
    {
        Console.Title = "IdentityServer";

        var config = new ConfigurationBuilder()
            .SetBasePath(Directory.GetCurrentDirectory())
            .AddJsonFile("kestrelHosting.json", optional: true)
            .AddCommandLine(args)
            .Build();

        var host = new WebHostBuilder()
            .UseConfiguration(config)
            .UseKestrel(options =>
            {
                // options.ThreadCount = 4;
                options.NoDelay = true;
                options.UseHttps("VismaCert.pfx", "Visma123");
                //options.UseConnectionLogging();
            })
            .UseContentRoot(Directory.GetCurrentDirectory())
            .UseIISIntegration()
            .UseStartup<Startup>()
            .Build();

        host.Run();
    }
Solution

  • AspNetCoreModule is an SSL terminator, it will not communicate with Kestrel over HTTPS. What it does do is forward the original scheme via a header so you can use it when generating urls/links. There is a ForwardedHeaders middleware included by default with UseIISIntegration that will take these headers and apply them to the request fields. However, there are situations where the headers cannot be processed by the default settings. There are a bunch of references here: https://github.com/aspnet/Docs/issues/2384