Skip to content

webapi template uses HttpsRedirection and .http files redirect silently #54562

New issue
New issue
Open
Feature
Open
webapi template uses HttpsRedirection and .http files redirect silently#54562
Feature

Description

@vsfeedback

vsfeedback
openedon Mar 15, 2024

This issue has been moved from a ticket on Developer Community.

The default dotnet new webapi template includes the UseHttpsRedirection middleware which will redirect requests from http to https.

It also includes an https launch profile that includes both an http and an https endpoint on different ports.

It also includes a .http file which assigns:
@ProjectName_HostAddress = http://localhost:5149

Given the above, if someone add bearer token security to their web api, they will encounter behavior as described here:
https://ardalis.com/http-file-not-sending-auth-header/

Specifically, the Authorization header will not be passed to the application and a 401 will be encountered on every request. Looking at the Request tab in the .http file it will be clear the Authorization header is missing but, crucially, not why.

The reason is described here: https://learn.microsoft.com/en-us/dotnet/api/system.net.http.httpclienthandler.allowautoredirect?view=net-8.0 which also notes:

In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection.

There are several ways in which this problem might be addressed:

  1. Don't include HttpsRedirection in the default webapi project template
  2. Don't include both http and https in the launch profile for https in the webapi project template
  3. Make the default host address in the .http file be HTTPS.
  4. Don't automatically follow redirects from .http files
  5. Continue automatically following redirects but pass along Authorization headers
  6. Continue automatically following redirects but include a LARGE NOTE in the results pane stating that a redirect was encountered and, therefore, any Authorization header was dropped.

I hope you'll consider adopting one or more of the above mitigations/fixes.

Thanks!
Steve

Original Comments

Feedback Bot on 2/1/2024, 04:54 PM:

(private comment, text removed)

Feedback Bot on 2/2/2024, 00:51 AM:

(private comment, text removed)

Steve Smith on 2/2/2024, 06:42 AM:

(private comment, text removed)

Garry McGlennon [MSFT] on 2/27/2024, 07:05 PM:

(private comment, text removed)

Original Solutions

(no solutions)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Author: Migration Bot 🤖The issue was created by a issue mover bot. The author may not be the actual author.area-authIncludes: Authn, Authz, OAuth, OIDC, BearerenhancementThis issue represents an ask for new feature or an enhancement to an existing onefeature-templates

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions