Allow http for openiddict

[bergmania]

Description

Added post configuration of OpenIddictServerOptions that removes the ValidateTransportSecurityRequirement iff GlobalSettings.UseHttps is false.

Fixing: https://github.com/umbraco/Umbraco-CMS/issues/16605

Test

Please note that openiddict only allow connections from the host that first attempted to access backoffice. It can make it easier to set launchBrowser to false in launchSettings.json

• Set Umbraco:CMS:Global:UseHttps = false
  • Boot solution and verify you can sign-in using http: http://localhost:11000/umbraco/
  • Reboot solution and verify you can sign-in using https: https://localhost:44339/umbraco/
• Set Umbraco:CMS:Global:UseHttps = true
  • Boot solution and verify you cannot sign-in using http: http://localhost:11000/umbraco/
  • Reboot solution and verify you can sign-in using https: https://localhost:44339/umbraco/

[kevinchalet]

👋🏻

FYI: removing the ValidateTransportSecurityRequirement event handler is not necessary to disable the TLS/HTTPS requirement as there's a dedicated OpenIddictServerAspNetCoreOptions.DisableTransportSecurityRequirement option that allows disabling this security check (when set to true, the built-in ValidateTransportSecurityRequirement handler is not called) 😃

Cheers.

[bergmania]

I simplified the PR here https://github.com/umbraco/Umbraco-CMS/pull/16629. Thanks for the input @kevinchalet 💪

[kevinchalet]

You're welcome @bergmania 😄

On a related note, OpenIddict 5.7.0 just shipped: https://github.com/openiddict/openiddict-core/releases/tag/5.7.0.