I have a basic .Net Core 3.1 mvc web app that uses hybrid flow in conjunction with Identity Server 4 (based on their quickstarts). The latter sits behind nginx and the web app sits behind nginx and zuul. When I click the login button in the web app I get redirected to Identity Server's login page. After I login, the oidc redirect fails and in my web app logs I have a correlation id cookie error stating its been lost.
What I did to then was put the web app directly behind nginx like Identity Server, and everything works as expected with the oidc login and logout redirects.
This is my zuul configuration in application.properties
zuul.sensitive-headers=Cookie,Set-Cookie
zuul.ignored-services= '*'
zuul.add-host-header=true
server.port=9002
spring.application.name=zuul
eureka.instance.preferIpAddress=true
eureka.client.serviceUrl.defaultZone=${EUREKA_URI:http://localhost:9001/eureka}
zuul.strip-prefix=false
eureka.client.fetch-registry=true
eureka.client.register-with-eureka=true
Is there something else I might need in this configuration to solve my problem?
My nginx is configured to forward all the necessary headers for the web app, but it is likely that something is getting lost downstream when proxying from zuul.
location / {
proxy_pass http://zuul:9002/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
}
This is all done using Docker containers.
This was quite a simple fix in the end, as I initially misinterpreted the zuul documentation. What I am indeed doing above is blacklisting cookies:
zuul.sensitive-headers=Cookie,Set-Cookie
It appears that zuul blacklists Cookie,Set-Cookie,Authorisation out of the box. As soon as I set the property to an empty string or a random string name, everything works as expected.