[WebToolsE2E][Aspire] When running the Aspire Starter application using https and clicking the endpoint localhost:xxxx, the launch URL of the apiservice is localhost:xxxx instead of https://localhost:xxxx.

[v-elenafeng]

INSTALL STEPS

1. Clean machine: Win11 x64 23h2 ENU

2. Install VS 17.10 Preview 3 FB

   • Web Workload
   • Includes Aspire 8.0.0-preview.5.24201.12
   • Includes SDK 8.0.300-preview.24203.14 and runtime 8.0.2
   • Apply the "dotnet-tools" feed for Aspire 8.0 P5

REPRO STEPS

1. New Project > .NET Aspire Starter Application > .NET 8.0

2. Build the solution and run with https

3. On the Dashboard, open the apiservice endpoint "http://localhost:xxxx/weatherforecast"

   

ACTUAL The launch URL is localhost:xxxx not https://localhost:xxxx

Note:

• Doesn't repro with the webfrontend project of .NET Aspire Starter Application
• Doesn't repro with ASP.NET Core Web API template

EXPECTED The launch URL is always https://localhost:xxxx when run with https

[balachir]

@v-elenafeng I believe this is the issue you're calling out - if you try to navigate to http://localhost:xxxx/weatherforecast, it doesn't automatically re-direct you to the corresponding https address https://localhost:xxxx/weatherforecast. I believe this is the same behavior in other ASP.NET Core API or web apps without aspire too. Can you confirm?

Note: I believe if you navigate to the root of the apiservice http://localhost:xxxx, then it will re-direct successfully to https://localhost:xxxx.

[v-elenafeng]

@balachir Works for ASP.NET Core Web API - can re-direct to https address https://localhost:xxxx/weatherforecast when clicking on http://localhost:xxxx/weatherforecast.

The cause of this issue for Aspire Starter App is the lack of app.UseHttpsRedirection(); in Program.cs of apiservice. After adding the code will not reproduce this issue.

[balachir]

@DamianEdwards @davidfowl does this need to be fixed in the template for Preview 6?

[davidfowl]

I think so yeah

[DamianEdwards]

During security review it was remarked by @blowdart that the API project shouldn't have HTTPS redirect enabled, but indeed the usual API templates do have it. I'm OK with adding it to the API project in the Aspire Starter template unless there's a forcing security related reason to exclude it.

[blowdart]

The reason why I don't want redirection in API projects is that API projects should only listen on HTTPs - if an authenticated HTTP request is made, it's too late to redirect at that point, the token may have been captured. (That old attack on twitter via open wifi networks was like this).

Yes, it's unlikely but sending auth over http is forbidden by our standards.

The right fix, in my eyes, would be to remove it from the normal templates 😈

[davidfowl]

That would break on linux automatically. That's outside of the scope of aspire at this point. If we want to make a change like that, we should discuss making it to asp.net core in general and we should deal with the fallout.

[DamianEdwards]

It doesn't seem like any change here is within scope for Aspire GA at this point. Move this to 8.1?

[DamianEdwards]

Moving out of 8.1 as I don't think there's anything actionable in Aspire here still.