10

I have recently created an ASP.NET Core 3.0 web application project in Visual Studio 2019 (with Docker enabled, but I don't think that's relevant), and don't seem to be able to disable HTTPS when including ASP.NET Identity for individual user accounts. Whenever I launch the app in the debugger the page opens using HTTPS and navigating to HTTP redirects me back again.

I've tried creating a new project to test out what is going on, and have found the following:

When creating the project I enabled the use of ASP.NET Identity in order to use local accounts in my app, and I noticed that if I go through the wizard again in order to create a project with the same setup (web app with Identity enabled for individual user accounts) the option to untick the box enabling HTTPS appears to be greyed out.

Unable to disable HTTP on project creation with Identity

After creating the project, I've tried disabling the HTTPS redirection middleware in Startup.cs by commenting out the relevant line:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                app.UseHsts();
            }
            //app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllerRoute(
                    name: "default",
                    pattern: "{controller=Home}/{action=Index}/{id?}");
                endpoints.MapRazorPages();
            });
        }

And have edited the launchSettings.json to try to get the app to run using HTTP instead of HTTPS when debugging, but the app still tries to load using HTTPS.

launchSettings.json BEFORE:

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:51767",
      "sslPort": 44396
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "HTTPSTest": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:5001;http://localhost:5000"
    },
    "Docker": {
      "commandName": "Docker",
      "launchBrowser": true,
      "launchUrl": "{Scheme}://{ServiceHost}:{ServicePort}",
      "environmentVariables": {
        "ASPNETCORE_URLS": "https://+:443;http://+:80",
        "ASPNETCORE_HTTPS_PORT": "44397"
      },
      "httpPort": 51777,
      "useSSL": true,
      "sslPort": 44397
    }
  }
}

launchSettings.json AFTER:

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:51767"
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "HTTPSTest": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "http://localhost:5000"
    },
    "Docker": {
      "commandName": "Docker",
      "launchBrowser": true,
      "launchUrl": "{Scheme}://{ServiceHost}:{ServicePort}",
      "environmentVariables": {
      },
      "httpPort": 51777
    }
  }
}

Does anyone have any ideas of what I can try next? I want the app to sit behind an SSL-terminating reverse proxy, so I don't think it's unreasonable to want to disable this.

MattC
  • 671
  • 1
  • 6
  • 15

3 Answers3

12

So I actually managed to fix this. The issue I was seeing with Visual Studio opening up the app using HTTPS was an issue with Visual Studio.

Running through the same setup on another computer worked just fine by commenting out the app.UseHttpsRedirection() line in Startup.cs and removing the SSL references in launchSettings.json as in my original post - running the debugger opened up the page using HTTP and was able to connect to the app.

In order to get everything working again, I tried removing Visual Studio completely, rebooting, reinstalling and trying again, but still had the same issue. In the end I had to also remove all the Visual Studio folders under AppData in my user directory and THEN reinstall Visual Studio, and then it was finally working again when I tried debugging my project!

UPDATE:
This actually came back after the weekend, and I discovered that this time my problem was that HSTS had cached the use of HTTPS in Chrome. Examples of how to remove this for different browsers can be found here: https://appuals.com/how-to-clear-or-disable-hsts-for-chrome-firefox-and-internet-explorer/

In summary, for Chrome:
1. Navigate to chrome://net-internals/#hsts
2. In the Delete domain security policies section, enter localhost as the domain and hit the Delete button

UPDATE 2 - WARNING Although this "fix" allowed me to run my project using HTTP, I did find that Identity would not allow me to log in unless HTTPS was enabled - I think it's something to do with the SignInManager setting an HTTPS-only authentication cookie - see here for further details: AspNet Core Identity - cookie not getting set in production

MattC
  • 671
  • 1
  • 6
  • 15
  • 1
    If I remember correctly Asp.Net Core with Identity is generally forcing the usage of https for best practice reasons. You could however roll your own implementation of a custom SignIn and Usermanager implementation to skip the enforcement from Identity. – Brezelmann Nov 20 '19 at 10:14
  • Thanks. Do you have any examples? Seems like a complex thing to do just to use HTTP – MattC Nov 20 '19 at 20:24
  • check [this](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-custom-storage-providers?view=aspnetcore-3.0). You have to basically eitherbuild a custom store that handles the SignIn of Users or implement your own SignInManager to get Identity to accept HTTP. Check the Identity Source Code which code decides if HTTPS was used or not and override this part. – Brezelmann Nov 22 '19 at 06:42
1

From memory, you can change the port in the project settings.

Right click project, then Properties Click Debug. Under the Profile IIS Express, change the port to 5000, your http port.

mattfullerdev
  • 119
  • 11
  • Sorry, but that isn't the issue - I was running it using the Docker profile, and it was correctly opening up a browser tab on port 51777, but using https. Changing https to http just redirected back to https again, and none of the other ports in the settings file worked. Also, those changes in the Debug tab in the project properties are just the same settings that are in launchSettings.json. – MattC Nov 16 '19 at 16:35
  • I'm seeing the same behavior with Chrome. I developed a Web API and client and my IT department has been trying to deploy it. They were getting 404, but turns out they were not following the controller [Route...]. We are in different states, all remote, so no big deal. I tried browsing directly to it using the correct route in Chrome - 404. BUT Chrome was always trying to go to "https//mystuff" instead of "http://mystuff" (not https). I tried it in Bing, and it worked the first time.... – GTAE86 Apr 30 '21 at 17:40
0

I implemented most of the suggestions above. Then, when using the OpenIdConnectDefaults.AuthenticationScheme on the client and setting the value:

options.RequireHttpsMetadata = false;

as per:

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.openidconnect.openidconnectoptions.requirehttpsmetadata

I was able to authenticate and authorize using IdentityServer4 over HTTP using Firefox.

For some reason Chrome insists on setting the request header:

Upgrade-Insecure-Requests: 1

which causes the postback to attempt HTTPS and thus fail.

Joe Mayo
  • 7,501
  • 7
  • 41
  • 60
user11137380
  • 21