Search code examples
dockeridentityserver4caddy

Identityserver from duende behind caddy has http in the openid config

I am running an identity server from duende behind a caddy reverse proxy and both are running in a docer container. I also run a blazor server app in another container where I want to authenticate. Locally this is working fine, but when I run them behind the proxy, the .well-known/openid-configuration delivers http:// endpoints and therefore the blazor app can not authenticate, because it does not allow authentication through http. The http is between caddy and the identity server. As this is running on a machine and is not crossing the evil net, I thought that might be ok. I think what I need to do is, generate a certificate for the identityserver and proxy via https instead of http. But I also do not want to generate certs by hand all the time or keep an eye out for that. A UseHttpsRedirect() in the startup made my service unavailable for caddy and just simply running it on 443 without a certificate also broke the call between caddy and the indentity server. I also found a tip where I could set the IssuerUri to https in the options, but this does not affect the other endpoints and therefore I still can not authenticate, because in the openid config there are still http endpoints (except the issuer)

Does anybody have an idea how I could do that and not create the certs by hand?

caddyfile:

identity.fading-flame.com {
    reverse_proxy http://identity-server-prod
}

Startup for IS

services.AddIdentityServer(options =>
                {
                    options.IssuerUri = $"https://{Environment.GetEnvironmentVariable("IDENTITY_BASE_URI")}";
                    options.EmitStaticAudienceClaim = true;
                })

Or maybe something like that for caddy? Identityserver4 openid-configuration omits host port running nginx reverse proxy

Solution

  • Ok, I found a similar thread on GH that was with nginx, but the answer is still working with caddy.

    https://github.com/IdentityServer/IdentityServer4/issues/324#issuecomment-324133883

    Basically, before the identity server middleware, I have this one:

        app.Use((context, next) =>
    {
        context.Request.Scheme = "https";
        return next();
    });
    
    app.UseIdentityServer();

    Then the openid config returns https endpoints and everything is fine. What was still missing for me was the same thing for the blazor server app, because I use the auth framework there aswell and the redirect url is http because of the same reason with caddy. So in the blazor app this fixed the callback from Identity server, pretty sure it has to be before authentication, but I did not test it out:

        app.Use((context, next) =>
    {
        context.Request.Scheme = "https";
        return next();
    });
    
    app.UseAuthentication();

    Hope this helps someone some day ;)