Merge branch 'master' into develop

Fix OIDC issuer handling behind internal HTTP proxies
2026-04-02 13:59:41 +09:00 · 2026-04-02 02:43:50 +09:00
1 changed files with 39 additions and 9 deletions
--- a/src/MemberCenter.Api/Program.cs
+++ b/src/MemberCenter.Api/Program.cs
@ -14,6 +14,9 @@ EnvLoader.LoadDotEnvIfDevelopment();

 var builder = WebApplication.CreateBuilder(args);
 var pathBase = NormalizePathBase(builder.Configuration["PathBase"]);
+var issuer = builder.Configuration["Auth:Issuer"];
+var issuerUri = ParseAbsoluteUriOrThrow(issuer, "Auth:Issuer");
+var allowInsecureHttp = builder.Configuration.GetValue("Auth:AllowInsecureHttp", false);

 builder.Services.AddDbContext<MemberCenterDbContext>(options =>
 {
@ -58,14 +61,8 @@ builder.Services.AddOpenIddict()
            WithPathBase(pathBase, "/auth/login"),
            WithPathBase(pathBase, "/auth/refresh"));
        options.SetLogoutEndpointUris(WithPathBase(pathBase, "/auth/logout"));
-        var issuer = builder.Configuration["Auth:Issuer"];
-        if (!string.IsNullOrWhiteSpace(issuer))
+        if (issuerUri is not null)
        {
-            if (!Uri.TryCreate(issuer, UriKind.Absolute, out var issuerUri))
-            {
-                throw new InvalidOperationException("Auth:Issuer must be an absolute URI.");
-            }
-
            options.SetIssuer(issuerUri);
        }

@ -98,9 +95,9 @@ builder.Services.AddOpenIddict()
            .EnableLogoutEndpointPassthrough()
            .EnableStatusCodePagesIntegration();

-        if (builder.Environment.IsDevelopment())
+        if (builder.Environment.IsDevelopment() || allowInsecureHttp)
        {
-            // TEST/LOCAL ONLY: allow HTTP for local Docker integration testing.
+            // Allows OIDC/OAuth endpoints to operate behind non-HTTPS internal networks/proxies.
            aspNetCore.DisableTransportSecurityRequirement();
        }
    })
@ -140,6 +137,17 @@ if (!string.IsNullOrWhiteSpace(pathBase))
    app.UsePathBase(pathBase);
 }

+app.Use(async (context, next) =>
+{
+    if (issuerUri is not null && IsOpenIddictRequest(context.Request.Path))
+    {
+        context.Request.Scheme = issuerUri.Scheme;
+        context.Request.Host = HostString.FromUriComponent(issuerUri);
+    }
+
+    await next();
+});
+
 app.UseRouting();
 app.UseAuthentication();
 app.UseAuthorization();
@ -166,3 +174,25 @@ static string WithPathBase(string? pathBase, string relativePath)
        ? normalizedRelativePath
        : $"{pathBase}{normalizedRelativePath}";
 }
+
+static Uri? ParseAbsoluteUriOrThrow(string? uri, string configKey)
+{
+    if (string.IsNullOrWhiteSpace(uri))
+    {
+        return null;
+    }
+
+    if (!Uri.TryCreate(uri, UriKind.Absolute, out var parsed))
+    {
+        throw new InvalidOperationException($"{configKey} must be an absolute URI.");
+    }
+
+    return parsed;
+}
+
+static bool IsOpenIddictRequest(PathString path)
+{
+    return path.StartsWithSegments("/.well-known", StringComparison.OrdinalIgnoreCase)
+        || path.StartsWithSegments("/oauth", StringComparison.OrdinalIgnoreCase)
+        || path.StartsWithSegments("/auth", StringComparison.OrdinalIgnoreCase);
+}
Author	SHA1	Message	Date
warrenchen	766ecf702f	Merge branch 'master' into develop	2026-04-02 13:59:41 +09:00
Warren Chen	693c6d262a	Fix OIDC issuer handling behind internal HTTP proxies	2026-04-02 02:43:50 +09:00