IdentityServer4 + MVC client in Docker

Question

I want to deploy IdentityServer4 and MVC client in Docker. As reverse proxy I use NGINX. But my containers don't have access to the external network. (red lines on the picture below)

My MVC client application requests discovery document over the internal network and receives internal URI's. But they are used by client-side code in a browser. FQDN can be an IP address with a port or regular domain name. What needs to be done to fix my problem? I found similar question. There was recommended to use the same DNS name and resolve it inside the docker-compose network to IdentityServer4 container. But what to do in the case of IP address? And same problems with this answer. I even thought about migrating to oidc-client.js. But it will take too much time.

MVC client:

services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.Authority = "http://fqdn/idsrv";
                options.RequireHttpsMetadata = false;

                options.ClientId = "mvc";
                options.SaveTokens = true;
            });

IdentityServer4:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc().SetCompatibilityVersion(Microsoft.AspNetCore.Mvc.CompatibilityVersion.Version_2_1);

        var builder = services.AddIdentityServer(o => {

        })
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddInMemoryApiResources(Config.GetApis())
            .AddInMemoryClients(Config.GetClients())
            .AddTestUsers(Config.GetUsers());

        builder.AddDeveloperSigningCredential();
    }

    public void Configure(IApplicationBuilder app)
    {
        app.UsePathBase("/idsrv");
        app.UseDeveloperExceptionPage();

        app.UseStaticFiles();

        app.UseIdentityServer();

        app.UseMvcWithDefaultRoute();
    }

docker-compose:

version: "3.9"
services: 
mvcclient:
    build: 
        context: .
        dockerfile: \MvcClient\Dockerfile 
identityserver:
    build: 
        context: .
        dockerfile: \IdentityServer\Dockerfile
proxy:
    image: nginx
    ports:
        - "80:80"

NGINX:

location ~* ^/idsrv {
        proxy_pass http://identityserver;
    }
location ~* ^/mvcclient {
        proxy_pass http://mvcclient;
    }

Answer 1

Not the best solution but it takes place.

MVC client:

.AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "http://{public_fqdn}/idsrv";
        options.MetadataAddress = "http://{idsrv_container_name}/.well-known/openid-configuration";
        options.TokenValidationParameters.ValidIssuer = "http://{public_fqdn}/idsrv";

        options.Events.OnRedirectToIdentityProvider = context =>
        {
            // Intercept the redirection so the browser navigates to the right URL in your host
            context.ProtocolMessage.IssuerAddress = "http://{public_fqdn}/idsrv/connect/authorize";
            return Task.CompletedTask;
        };

        options.Events.OnRedirectToIdentityProviderForSignOut = context =>
        {
            // Intercept the redirection so the browser navigates to the right URL in your host
            context.ProtocolMessage.IssuerAddress = "http://{public_fqdn}/idsrv/connect/endsession";
            return Task.CompletedTask;
        };

        options.ClientId = "mvc";
    })