I'm using ARR without https offloading on our non-local hosting environments. That means requests that hit ARR are https but requests sent to the backend servers are just http.
If I disable https requirement in openiddict then configuration returns http urls. If I enable it then requests are refused bc the backend servers receive them as http. Is there any way around this?
What you describe is actually a very common issue that impacts any ASP.NET Core application that does - or does not - use OpenIddict and appears when doing TLS termination at the reverse proxy level: in this case, ASP.NET Core has indeed no way to know what the actual scheme was, so it assumes HttpRequest.Scheme is http, not https.
To fix that, you'll have to restore the real scheme, so that all the middleware that depend on it - including OpenIddict - work as intended.
This can be done using the "forwarded headers" middleware by referencing the Microsoft.AspNetCore.HttpOverrides package and calling app.UseForwardedHeaders().
Depending on your proxy, you might need to tweak the settings to match the headers it uses.
Note: this middleware is automatically registered when using the IIS integration package. You can amend the default options using this syntax:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedProto;
});
If this approach doesn't work, you can still override the scheme using an inline middleware:
app.Use((context, next) =>
{
context.Request.Scheme = "https";
return next();
});
Make sure you register it before any other middleware.