3

I have a webapp which uses IdentityServer for authentication. It's an ASP.NET Core webapp and I'm running Docker on Windows.

I'm facing a problem with the correct URL to use for the challenge response.

My setup involves 2 containers - one for the webapp (let's call it webapp.host) and one for the identity server (is.host)

I put the URL for the identity server in a config file in my webapp. However, here I have a problem. My web app needs to talk to the identity server directly, for example, to access the .well-known/openid-configuration endpoint. For container-to-container access, Docker sets up a network such that webapp.host can find the identity server at is.host/.well-known/openid-configuration.

However, when Identity Server requires a challenge to be made, the webapp ends up trying to redirect the user to is.host/connect/authorize. From the point of view of my browser, however, this is no good - my local machine does not know where is.host is, it only has access to the identity server through an exposed port mapped to localhost.

I'm not sure how to best solve this problem. Is there one name that I can refer to when attempting to access the Identity Server that works from my local browser and also from my webapp's container? Or is it somehow possible to configure Identity Server to work with 2 names?

I noticed that if I access is.host/.well-known/openid-configuration from the webapp container it reports that the authorization_endpoint is is.host/connect/authorize, but that if I access localhost:9002/.well_known/openid-configuration, where localhost port 9002 is mapped to port 80 of is.host, then it reports the authorization_endpoint as localhost:9002/connect/authorize, leading me to believe it is using the request to determine what the correct URL to use is. Should I be overriding this somehow?

Community
  • 1
  • 1
Paul Smith
  • 1,044
  • 2
  • 13
  • 29
  • 1
    Possible duplicate of [How can I use IdentityServer4 from inside and outside a docker machine?](https://stackoverflow.com/questions/43911536/how-can-i-use-identityserver4-from-inside-and-outside-a-docker-machine) – adem caglin Aug 09 '18 at 15:52
  • Not a duplicate. In the referenced post the client is totally outside, so there is no interactive login, nor RedirectUri within the client configuration of IS. – d_f Aug 09 '18 at 17:04
  • 1
    probably **docker run --net="host"** could be an option, so the containers will share the network stack with the docker host and from the containers point of view, localhost (or 127.0.0.1) will refer to the docker host. without any aliases. – d_f Aug 09 '18 at 17:16
  • @d_f This sounds like it might fix my problem, but I'm not sure how to apply it - I'm currently using docker-compose start to start the containers that I need, can I do a similar --net parameter to that or do I need to do something in my compose file? – Paul Smith Aug 24 '18 at 15:36
  • Looks like there should be the `network_mode: "host"` option used in that case. https://docs.docker.com/compose/compose-file/#network_mode – d_f Aug 24 '18 at 16:37
  • What should be done on production ? – Dheeraj Kumar Jul 20 '20 at 10:20
  • I am also facing this issue , i am using docker-compose 3 – Dheeraj Kumar Jul 20 '20 at 10:44
  • I resolved the issue wi the suggestion from the comments to use network_mode as host. Just remember also change the environment variable of the aspnet core to expose the port of your choice. – chungonion Jul 13 '21 at 02:15

0 Answers0