TerribleDev / OwinOAuthProviders

OAuth providers for Owin
MIT License
504 stars 236 forks source link

Google+ Provider does not honor IdentityServerOptions.PublicOrigin #57

Open santiagovm opened 9 years ago

santiagovm commented 9 years ago

When Identity Server is deployed behind a load balancer with SSL termination at the load balancer, one can use the IdentityServerOptions.PublicOrigin to control the URLs that are generated by Identity Server and make sure they look like the load balancer's endpoint.

Say the load balancer endpoint is https://my-public-id-srv and the nodes listen on http://node1:8080 and http://node2:8080. Notice that load balancer requires SSL while the nodes do not.

For this setup one sets a couple of properties in the IdentityServerOptions object:

IdentityServerOptions.PublicOrigin = "https://my-public-id-srv" IdentityServerOptions.RequireSsl = False

There is an issue with the Google+ AuthProvider. In this setup, Identity Server is generating a request to Google with redirecturi = http://my-public-id-srv. Notice that it does not use SSL as specified in the PublicOrigin property.

It seems this behavior comes from line 66 in GooglePlusAuthenticationHandler (https://github.com/owin-middleware/OwinOAuthProviders/blob/master/Owin.Security.Providers/GooglePlus/GooglePlusAuthenticationHandler.cs) where the schema to use is assumed to be the one in the request. However, the request to Identity Server was http because SSL terminated at the load balancer. Instead, this handler should generate a redirecturi that uses PublicOrigin property.

Did some research in the Identity Server Core and found how the Public Origin is used in the WS-Federation metadata, which I imagine is something similar to what is needed here:

Context.Environment.GetIdentityServerBaseUrl()

Where Context is the IOwinContext. The line above returns "https://my-public-id-srv/sts/"

There are other extension methods like:

Context.Environment.GetIdentityServerHost() that returns "https://my-public-id-srv"

Context.Environment.GetIdentityServerBasePath() that returns "/sts/"

Regards, -Santiago

jerriep commented 9 years ago

Do you mind fixing and submitting a pull request please?

Alternatively look into using the Google OAuth provider which comes as part of ASP.NET Identity...

santiagovm commented 9 years ago

Managed to make some changes on a local version and it is working now as expected. Will submit a pull request in a few days when I get some time.

-S