Using OAuth 2.0, we have our app set up to use Google as an external login and it all worked fine until something changed on Google's end and it's now complaining that:
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
I think the problem here is that while we have the redirect_url set in the Google console to https://ourwebsite.com/signin-google, our server is behind a load balancer and the connection between the load balancer and the actual server(s) is http (since it's entirely an internal network) with the load balancer providing https to the external world. This didn't cause a problem before, but it seems it now doesn't work.
So it seems Google is seeing the redirect_url as http://ourwebsite.com/signin-google and rejecting it. We tried to force it to send the redirect_url with https as the scheme like this:
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
{
ClientId = googleKey,
ClientSecret = googleSecret,
CallbackPath = new PathString(@"https://ourwebsite.com/signin-google")
});
But this will complain because:
The path must start with a '/' followed by one or more characters.
In other words, you can't put a fully qualified path there. So is there any way to alter the redirect_url before it gets sent to google to correct the scheme?
Here's a screenshot from of the Google error showing that Google is seeing the redirect_uri as being http
Update:
I tried adding this to Startup.Auth.cs:
app.Use((ctx, next) =>
{
ctx.Request.Scheme = "https";
return next();
});
And, surprisingly, it gets me past the Google authentication error. Unfortunately, I then get redirected to https:///ourwebsite.com/Account/ExternalLoginCallback?error=access_denied and I'm not sure exactly why. I suspect it some kind of mismatch perhaps in the token that is returned because it's for https and the backend is still comparing it to http? Is there a way around this?
