Running IdentityServer on a sub-path `/api`

[kelko]

Which version of Duende IdentityServer are you using?

7.0.5

Which version of .NET are you using?

.NET 8

Describe the question

1) Can the IdentityServer be run on a sub-directory (e.g. /api) reliably? 2) If so: can the UI for the authentication be on the level above the IdentityServer? (e.g. /)

To 1: It seemed to me, like it should be possible. The well-known oidc configuration did take the basepath into account, also when I tried to login/logout it seems to work most of the time. But several times now I had the issue, that I although my credentials are accepted I am not logged in and returned straight back to the login page. Especially when trying to login via a BFF-backed client redirecting to the IdentityServer. And when I checked I had several cookies at once, some for path /, others for the /api subpath. When I clear all those cookies and login directly on the IdentityServer (not via BFF) all cookies are for /api subpath.

To 2: As described above all cookies once a login was successful are for /api subpath. So I am not sure if this would correctly work with strict cookie settings, as the UI is placed on / root directory. But I am not 100% sure, so I wanted to reach out.

additional context

• deployed on an IIS server
• UI not via Razor inside same .NET project, but plain HTML / Angular (following "SPA-login" example)

[RolandGuijt]

We do not generally recommend to host the IdentityServer beneath a path. The security model for cookie isolation works better if IdentityServer is hosted on a separate host.

The security model for cookies relies on the host being the security boundary. A cookie with a path will only be sent with requests related to that path, but it is still possible for any page/endpoint on the same host to set and overwrite cookies on that path. The same is not true for different hosts. Only the specific host can set a cookie that applies to that host.

Is there a particular reason why you would need this?

[kelko]

Is there a particular reason why you would need this?

The project structure / convention currently is to have the BE / API in a sub-folder /api and the (Angular) UI is on top-level directory. And the project does not want to use Razor pages for IdentityServer UI, but an own Angular SPA (following your sample).

But having the explicit statement from your side about "not generally recommended" is a good reason why we should diverge from the convention in this case and keep the .NET project on root and the Angular SPA in a sub-directory

[RolandGuijt]

Yes I think that is the best decision. Closing the issue for now, but if you have anything to add, feel free.

[AndersAbel]

@kelko I would just like to add that it might be possible to host both on the root path.

When we get requests for hosting IdentityServer in a sub-folder it is mostly for people wanting have a shared host name that hosts many different kinds of applications. In that case we advice against it, as it doesn't provide as good security isolation.

But if the issue really is about an Angular-based UI for IdentityServer itself you could host them both under the root path. The IdentityServer library does not expose anything on the root path, so it will not collide with the Angular app if that is hosted on the root path. If you use the static file middleware you can even have the IdentityServer host serve up the root html page for the angular app. As long as the root html page is served from the same host, it would then be possible to host the Angular assets in a sub-path or even on a separate host.