6

Facebook is recommending that I use a HTTPS redirect URL, instead of HTTP. I've been trying to find a way to configure it to generate a HTTPS URL, at the moment it's generating a HTTP URL.

https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=255162614498922&redirect_uri=http://example.com/signin-facebook&scope=&state=-x4AVtFysadfadsfsadROH6E1QJ82gv4e4j48s32K5xbmqlF-JFbE5Y2Tx_MAdSquCP6CjZjic8Ye6gwasdfdfask3PXWkyxS42Ajpks9IuumDOl6CUJsadfafsasfdasdfbfpEFUDyxJUR3fARlWc83Lysadffdsdaffsdafasdsdafx_ziTnttz

Currently it is generating: http://example.com/signin-facebook for the redirect_uri, but I'd like a HTTPS URL to redirect the user to.

Is there a way to configure it to generate a HTTPS URL?

This relates to packages Microsoft.Owin.Security and Microsoft.Owin.Security.Facebook.

Currently my OwinStart looks like this:

public class OwinStart
{
    public void Configuration(IAppBuilder app)
    {
            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Welcome")
            });

            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Configure Facebook authentication
            app.UseFacebookAuthentication(new FacebookAuthenticationOptions
            {
                AppId = ConfigurationManager.AppSettings["FacebookAppId"],
                AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
            });
    }
}

Also, there doesn't appear to be a way of Forcing HTTP within the FacebookAuthenticationOptions class or from the Challenge() method that instigates the redirect to Facebook:

internal class ChallengeResult : HttpUnauthorizedResult
{
    // TODO: Specify an XsrfKey?
    private const string XsrfKey = "SomethingHere";

    public ChallengeResult(string provider, string redirectUri)
        : this(provider, redirectUri, null)
    {
    }

    public ChallengeResult(string provider, string redirectUri, string userId)
    {
        this.LoginProvider = provider;
        this.RedirectUri = redirectUri;
        this.UserId = userId;
    }

    public string LoginProvider { get; set; }
    public string RedirectUri { get; set; }
    public string UserId { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        var properties = new AuthenticationProperties { RedirectUri = this.RedirectUri };

        if (this.UserId != null)
        {
            properties.Dictionary[XsrfKey] = this.UserId;
        }

        context.HttpContext.GetOwinContext().Authentication.Challenge(properties, this.LoginProvider);
    }
}
Luke
  • 22,826
  • 31
  • 110
  • 193

1 Answers1

13

Thanks to help from Chris Ross at Microsoft, I was able to get an answer to this question by raising the issue on Github.

It appears that the Microsoft.Owin.Security Nuget package generates the request_uri that it instructs Facebook to use based on the current request context.

In my case, I was running all of my servers over HTTP (not HTTPS) and the load balancer was handling all of the HTTPS stuff for me. IE. The load balancer was severing the SSL connection.

The way to ensure that the package generates a HTTPS is to employ middleware in the OwinStart Configuration method that is based on the x-forwarded-proto header that is forwarded from the load balancer, like so:

app.Use((context, next) =>
{
  if (context.Request.Headers["x-forwarded-proto"] == "https")
  {
    context.Request.Scheme = "https";
  }
  return next();
});
// Use Cookies
// Use Facebook

So my OwinStart looks like this now:

public class OwinStart
{
    public void Configuration(IAppBuilder app)
    {
        app.Use((context, next) =>
        {
            if (context.Request.Headers["x-forwarded-proto"] == "https")
            {
              context.Request.Scheme = "https";
            }
            return next();
        });

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Welcome")
        });

        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // Configure Facebook authentication
        app.UseFacebookAuthentication(new FacebookAuthenticationOptions
        {
            AppId = ConfigurationManager.AppSettings["FacebookAppId"],
            AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
        });
    }
}
Luke
  • 22,826
  • 31
  • 110
  • 193
  • 3
    More than a year old and this post is golden. Update: it's no longer a _recommendation_ it's **required**. Anyone who has the same setup **must** do the above (not optional), otherwise the login via Facebook fails - error message doesn't help `Permissions error user_denied`. Only inspecting the http req/resp flow will show that the return url is **not** `https` _unless the above is done_. Thank you. – EdSF May 02 '19 at 14:28