fume
commented
2 years ago I just noticed that the ForwardedHeadersMiddleware can be enabled as simply as setting the env variable ASPNETCORE_FORWARDEDHEADERS_ENABLED to true (ForwardedHeaderStartupFilter). Doing so, the default values for the ForwardedHeadersOptions are going to be used except for the overridden options in the (ForwardedHeadersOptionsSetup). Basically, only the x-forwarded-proto and x-forwarded-for headers are going to be used, which is not enough for us since we also need x-forwarded-host.
I see two options here:
- We check for the ASPNETCORE_FORWARDEDHEADERS_ENABLED env variable, and if set to true we configure the ForwardedHeadersOptions as we desire
- We add the ForwardedHeaders middleware on our own
We actually generate the AssertionConsumerServiceUrl using the HTTP Request host. This won't work in scenarios where reverse proxies are used, since the request host will be different from the "public" host that users can reach.
We basically need to change the following line https://github.com/microsoft/SPID-and-Digital-Identity-Enabler/blob/63ef10fe45b82566d90d4fc0101f0a254603be5d/WebApps/Proxy/Microsoft.SPID.Proxy/Services/Implementations/SAMLService.cs#L32-L36
We could use the x-forwarded-host header (https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0) or, eventually, just put the right host in config.