ASP.NET OAuth having issues with URL Rewrite

Question

My production setup is as follows:

M1 – ASP.NET Website
M2 - IIS URL Rewrite 2.0 + ARR 3.0

Using IIS URL Rewrite, any request to M2, say http://m2/app/login.aspx will be redirected to M1 as http://m1/app/login.aspx.

On M1, ASP.NET Open Auth has been implemented on the website to use Google external authentication. When user clicks the Google button, the browser will be redirected to the Google login page to allow the user to authenticate.

But when the website is accessed from M2, the redirection url generated by .net oAuth(https://accounts.google.com/[query-string]) to redirect to Google, is being replaced by URL Rewrite as http://m2/[query-string].

So just to be clear; when the request is made to authenticate via an external authentication provider a 302 redirect is returned. Often the form of this may look like:

Response Headers:

...

Location: https://accounts.google.com/o/oauth2/auth?big_long_query_string

...

This redirect is created by a server (M1) that sits behind the proxy server (M2 - IIS URL Rewrite 2.0 + ARR 3.0). So the rewrite server rewrites the Location header to:

Response Headers:

...

Location: http://M1/o/oauth2/auth?big_long_query_string

...

What we need is a rule that does not rewrite the location URL on redirection. It can only target certain redirects as well. Most of the time the behaviour mentioned here is wanted as all redirects are redirected to the main proxy server. Can someone suggest a solution or workaround for certain redirects?

Did you ever work out the solution, now would be a good time to answer if you did, I'm having the exact same issue. — Aran Mulholland, Nov 06 '15 at 06:07
We would need to have the rewrite rules to check what is wrong. — Maxime Rouiller, Nov 11 '15 at 17:15

score 4 · Answer 1 · answered Nov 11 '15 at 22:36

Check out Application Request Routing settings under IIS > [SERVER] > Application Request Routing and on Actions side bar Server Proxy Settings > for Reverse rewrite host in response headers. For the behavior you desire, uncheck the checkbox. That's is a server level setting, use responsibly.

You can also edit %WinDir%\System32\Inetsrv\Config\applicationHost.config. Basically insert/update the following line in the file between <system.webServer> tags.

<proxy enabled="true" reverseRewriteHostInResponseHeaders="false" />

I would assume this setting to be available per site too, but my attempts on web.config files for proxy settings didn't confirm that.

This is the correct answer. My setup was: Jenkins + IIS reverse proxy + GitHub Auth — Bakudan, Mar 01 '22 at 12:57

score 1 · Answer 2 · answered Sep 01 '17 at 09:54

I was able to solve the same issue with an outbound rule in IIS. So You have to create an outbound rule in IIS in URL rewrite module to modify the location header. You have to check for the 302 status header as a condition and provide match URL and action URL for Location header. Below is the steps from referred article.

Modifying Location Header with IIS URL Rewrite

Go to the URL Rewrite feature for your site and click Add Rule(s)…
Select from the Precondition drop-down.
Click Add in the dialog that appears
Enter {RESPONSE_STATUS} in the Condition input field and 3[0-9][0-9] in the pattern field.
Click OK.
Select Server Variable from the Matching scope drop-down.
Enter RESPONSE_Location as the Variable name.
In the Pattern field enter a regex to match the URLs your backend system is producing (e.g. http://local/page)
In the Action Value box enter the correct URL (e.g. http://example.com/page)
Click Apply and your done!

Reference: Handling 301 and 302 redirects with IIS 7 URL Rewrite

score 0 · Answer 3 · answered Aug 09 '17 at 04:02

Check out global.asax. it is a HTTPModule. All requests go through this file and other modules before they reach your page handlers. Use this to perform certain tasks on your request or response, like url routing, global error handling etc. This file is used to implement application and session level events, such as:

Application_Init - fired when an application first initializes

Application_Start - fired when the application first starts

Application_End - the final event fired when the application ends or times out

Session_Start - fired the first time a user’s session is started

Application_BeginRequest - fired with each new request

Application_EndRequest - fired when the application ends

Application_AuthenticateRequest - the event indicates that a request is ready to be authenticated.

Application_Error - fired when an unhandled error occurs within the application

Session_End - fired whenever a single user Session ends or times out.

ASP.NET OAuth having issues with URL Rewrite

3 Answers3