identityserver4 behind nginx with https & letsencrypt in AKS (azure kubernetes) preventing mvcclient to set-cookie for some reason

10/12/2018

My week so far: In the last couple of days i worked on deploying our identityserver4 .net core application to an Azure Kubernetes Cluster (AKS). After a few problems, everything seemed to work fine. We are not using the built-in http-routing functionalities because we don't want to route using subdomains and for some reason; we can't seem to get letsencrypt working when http-routing is enabled. We are using https:// to access the services hosted in AKS using nginx.

anyway.. The problems arose when i deployed one of our mvc clientapplications to AKS. The homepage of the client works as expected. When the client redirects me to the login page of our idsrv4 service, and i log in using my credentials: a redirect loop kicks in. I know this means that the authcookies aren't properly set.

The problem I discovered that the authentication roundtrip works in Google Chrome and Firefox, no redirect loops in those browsers. Edge, IE and Safari don't work and cause redirect-loops when redirecting to signin-oidc.

Discoveries so far:

  1. I tested the mvcclient application using my local docker for windows installation. Using HTTP connection - not https -, the roundtrip works in all browsers
  2. When i use Fiddler with HTTPS decrypt to diagnose the roundtrip using the services hosted in remote AKS: the roundtrip works in all browsers
  3. When i disconnect Fiddler and test the services hosted in remote AKS, the roundtrip doesn't work in Edge, IE and Safari.

Does anyone know how i can configure Nginx to support all browsers for setting cookies and forward the correct headers? What are the requirements for identityserver4 in this situation? is there any additional configuration rin nginx or cookieauthentication required in my clientapplication or identityserver4 (besides setting publicorigin in identityserveroptions in startup.cs)?

-- Léon
azure-aks
docker
identityserver4
kubernetes
nginx

1 Answer

10/13/2018

After i did a fresh install of a new AKS cluster and tryied once more to get Let's Encrypt working using the standard addon-http-routing, which i got working, i tried and tried and finally thought: why is my redirect to /signin-oidc registering as HTTP/2 in Edge and IE. This turned out to be the main part in a combination of the problems i had last week.... anyway: I did some research and figured out how to update some parts of the configuration to the built-in ingress controller (addon-http-routing). for anyone experiencing a signin-oidc loop when using AKS (Azure Kubernetes Service). You can overwrite the configuration for the standard http routing addon provided in AKS and disable http/2 manually (enabled by default!).

Because i got a bit frustrated by the fact that there was little information on the web for configuring an AKS cluster on Azure in combination with Let's Encrypt and addon-http-routing & because i couldn't find any information on deploying IdentityServer4 in an AKS cluster in Azure. I cooked up some .yaml files (all files i used to get everything up and running), expanded them with comments and published them for anyone wanting to host IdentityServer4 securely in an Azure Kubernetes Service. This is my first, although small, public contribution ever. If anyone has problems implementing my .yaml files using my rudimental Readme.txt: please let me know and i will see what i can do.

https://github.com/leonvandebroek/Identityserver4-deployments/tree/master/Azure%20Kubernetes%20Service

-- Léon
Source: StackOverflow