Http angular client connection keep reloading in Duende IdentityServer v6

Question

I have an Angular 14 with an OIDC client application that connects to Duende IdentityServer v6 using the OIDC client. The client application is running with HTTP and Duende IdentityServer is running on HTTPS on local development during the sign-in process it redirects to the IdentityServer and after successful authentication, it redirects back to the client application.

Now the browser keeps reloading as infinite. The reason I found is due to HTTP. If I change to HTTPS it is working fine.

I have setup the CORS as well

app.UseCors("CorsPolicy");

And in the client config

new Client
            {
                ClientId = "Fete_Bird_UI",
                ClientName = "FeteBirdUI",
                AllowedCorsOrigins = CorsUris(configuration),
                // ......
            }

In the database, I can see

This was SSL issue, creating an self-signed certificate and assign to it, works fine — San Jaisy, Aug 04 '22 at 23:43

score 0 · Answer 1 · answered Jul 31 '22 at 06:26

0

You must use HTTPS when you use IdentityServer and this is mainly due to the samesite cookie handling in todays browsers.

answered Jul 31 '22 at 06:26

Tore Nestenius

16,431
5
30
40

In the development mode, running the angular application in HTTPS required some kind of settings, can't I just disable in Identity server, if dev then allow HTTP – San Jaisy Jul 31 '22 at 06:43
No, because it is not an IdentityServer related thing, instead it is the browsers that will reject cookies with the samesite=none attribute and this attribute must be set for OpenID-Connect to work as intended. But if you use ASP.NET Core you get HTTPS support built in using localhost – Tore Nestenius Jul 31 '22 at 06:49
I have a two separate application, Angular is running on 4200 and identity server is running in 5200 with HTTPS. I know the issue is with HTTP, but configuring the angular app to HTTPS in local environment is another work – San Jaisy Jul 31 '22 at 11:44
A temporary hack can be to disable samesite in the browser, however that is not recomended, see https://stackoverflow.com/questions/59030096/how-to-disable-same-site-policy-in-chrome – Tore Nestenius Jul 31 '22 at 15:41
What I usually otherwise do is to create a real certificate, like identityserver.mycompany.com and webclient.mycompany.com and use it locally and edit my host file to point those domains to 127.0.0.1 – Tore Nestenius Jul 31 '22 at 15:42

Http angular client connection keep reloading in Duende IdentityServer v6

1 Answers1