warrenchen/member_center
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: warrenchen:75e235b8e390b2b29d160dc6625f897bd535d1f9
Branches Tags
warrenchen:master
warrenchen:develop
...
compare: warrenchen:766ecf702f0d49a820cf264c053a5efbe148e282
Branches Tags
warrenchen:develop
warrenchen:master

2 Commits
75e235b8e3 ... 766ecf702f

Author SHA1 Message Date
warrenchen
766ecf702f Merge branch 'master' into develop 2026-04-02 13:59:41 +09:00
Warren Chen
693c6d262a Fix OIDC issuer handling behind internal HTTP proxies 2026-04-02 02:43:50 +09:00
1 changed files with 39 additions and 9 deletions
Show Stats Expand all files Collapse all files

48
src/MemberCenter.Api/Program.cs
View File

@ -14,6 +14,9 @@ EnvLoader.LoadDotEnvIfDevelopment();
var builder = WebApplication.CreateBuilder(args); var builder = WebApplication.CreateBuilder(args);
var pathBase = NormalizePathBase(builder.Configuration["PathBase"]); var pathBase = NormalizePathBase(builder.Configuration["PathBase"]);
var issuer = builder.Configuration["Auth:Issuer"];
var issuerUri = ParseAbsoluteUriOrThrow(issuer, "Auth:Issuer");
var allowInsecureHttp = builder.Configuration.GetValue("Auth:AllowInsecureHttp", false);
builder.Services.AddDbContext<MemberCenterDbContext>(options => builder.Services.AddDbContext<MemberCenterDbContext>(options =>
{ {
@ -58,14 +61,8 @@ builder.Services.AddOpenIddict()
WithPathBase(pathBase, "/auth/login"), WithPathBase(pathBase, "/auth/login"),
WithPathBase(pathBase, "/auth/refresh")); WithPathBase(pathBase, "/auth/refresh"));
options.SetLogoutEndpointUris(WithPathBase(pathBase, "/auth/logout")); options.SetLogoutEndpointUris(WithPathBase(pathBase, "/auth/logout"));
var issuer = builder.Configuration["Auth:Issuer"]; if (issuerUri is not null)
if (!string.IsNullOrWhiteSpace(issuer))
{ {
if (!Uri.TryCreate(issuer, UriKind.Absolute, out var issuerUri))
{
throw new InvalidOperationException("Auth:Issuer must be an absolute URI.");
}
options.SetIssuer(issuerUri); options.SetIssuer(issuerUri);
} }
@ -98,9 +95,9 @@ builder.Services.AddOpenIddict()
.EnableLogoutEndpointPassthrough() .EnableLogoutEndpointPassthrough()
.EnableStatusCodePagesIntegration(); .EnableStatusCodePagesIntegration();
if (builder.Environment.IsDevelopment()) if (builder.Environment.IsDevelopment() || allowInsecureHttp)
{ {
// TEST/LOCAL ONLY: allow HTTP for local Docker integration testing. // Allows OIDC/OAuth endpoints to operate behind non-HTTPS internal networks/proxies.
aspNetCore.DisableTransportSecurityRequirement(); aspNetCore.DisableTransportSecurityRequirement();
} }
}) })
@ -140,6 +137,17 @@ if (!string.IsNullOrWhiteSpace(pathBase))
app.UsePathBase(pathBase); app.UsePathBase(pathBase);
} }
app.Use(async (context, next) =>
{
if (issuerUri is not null && IsOpenIddictRequest(context.Request.Path))
{
context.Request.Scheme = issuerUri.Scheme;
context.Request.Host = HostString.FromUriComponent(issuerUri);
}
await next();
});
app.UseRouting(); app.UseRouting();
app.UseAuthentication(); app.UseAuthentication();
app.UseAuthorization(); app.UseAuthorization();
@ -166,3 +174,25 @@ static string WithPathBase(string? pathBase, string relativePath)
? normalizedRelativePath ? normalizedRelativePath
: $"{pathBase}{normalizedRelativePath}"; : $"{pathBase}{normalizedRelativePath}";
} }
static Uri? ParseAbsoluteUriOrThrow(string? uri, string configKey)
{
if (string.IsNullOrWhiteSpace(uri))
{
return null;
}
if (!Uri.TryCreate(uri, UriKind.Absolute, out var parsed))
{
throw new InvalidOperationException($"{configKey} must be an absolute URI.");
}
return parsed;
}
static bool IsOpenIddictRequest(PathString path)
{
return path.StartsWithSegments("/.well-known", StringComparison.OrdinalIgnoreCase)
|| path.StartsWithSegments("/oauth", StringComparison.OrdinalIgnoreCase)
|| path.StartsWithSegments("/auth", StringComparison.OrdinalIgnoreCase);
}