Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OIDC - Setting the proxy to BackchannelHttpHandler does not make all calls pass through the proxy
See original GitHub issueIs there an existing issue for this?
- I have searched the existing issues
Describe the bug
I have the following configuration for Authentication:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(options =>
{
var azureSection = builder.Configuration.GetSection("Azure");
options.Instance = "https://login.microsoftonline.com/";
options.Domain = azureSection.GetValue<string>("Domain");
options.ClientId = azureSection.GetValue<string>("ClientId");
options.TenantId = azureSection.GetValue<string>("TenantId");
options.ClientSecret = azureSection.GetValue<string>("ClientSecret");
options.CallbackPath = "/signin-oidc";
var backchannelSection = azureSection.GetSection("Backchannel");
if (bool.TryParse(backchannelSection["UseProxy"], out bool useProxy) && useProxy)
{
Log.Logger.Debug("Setting up Backchannel with proxy: {proxy}", new Uri(backchannelSection["Uri"]));
var proxy = new WebProxy { Address = new Uri(backchannelSection["Uri"]) };
options.BackchannelHttpHandler = new HttpClientHandler
{
UseDefaultCredentials = false,
UseProxy = true,
Proxy = proxy
};
}
})
.EnableTokenAcquisitionToCallDownstreamApi()
.AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
.AddInMemoryTokenCaches();
Since the app is deployed behind a proxy server, all calls to login.microsoftonline.com and graph.microsoft.com needs to pass through the proxy.
If I use this configuration, the app correctly gets the configuration from Microsoft, but when a user gets redirected to <app-url>/signin-oidc the remote call to https://login.microsoftonline.com/common/discovery/instance?api-version=1.1&authorization_endpoint=somethingsomething fails because it’s not using the proxy.
But if I also set HttpClient.DefaultProxy with the same proxy I use for the BackchannelHttpHandler, everything flows through the proxy and the app works correctly:
...
var proxy = new WebProxy { Address = new Uri(backchannelSection["Uri"]) };
// exploit to fix proxy issues
HttpClient.DefaultProxy = proxy;
options.BackchannelHttpHandler = new HttpClientHandler
{
UseDefaultCredentials = false,
UseProxy = true,
Proxy = proxy
};
...
Expected Behavior
I expect that setting the proxy to the BackchannelHttpHandler would suffice, and I should not be required to also set HttpClient.DefaultProxy.
Steps To Reproduce
You can find the steps in the following repo: https://github.com/samusaran/BackchannelHttpHandlerIssue
Exceptions (if any)
The exceptions may vary by environments, in my case I get:
System.Net.Http.HttpRequestException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (login.microsoftonline.com:443)
This is because for this specific call, the app did not use proxy, so could not establish a connection.
.NET Version
6.0.9
Anything else?
ASP.NET Core 6.0.9
Issue Analytics
- State:
- Created 9 months ago
- Comments:7 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks @samusaran. Both @jmprieur and I were oof and still catching up on notifications. We will get back to you shortly.
Thank you for contacting us. Due to a lack of activity on this discussion issue we’re closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn’t been addressed yet, please file a new issue.
This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!