Codespace port forwarding causing oauth to not work

I’m using .net core 3.1 and I’m not able to run any of my applications in codespaces because they fail during the oauth authentication step. This appears to be because the server is creating the wrong redirect_uri when creating an oauth request, which is happening because the server SCHEME and HOST context variables are coming back incorrectly.

To show this issue, I’ve created a bare-bones repository at https://github.com/ucdavis/codespaces-netcore3 which is just a new .net core MVC project with the github oauth provider.

The problem then happens if I click to go to a secure page. The oauth provider will then make a request similar to github.com/login/oauth/authorize?client_id=abc&scope=&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fsignin-github. As you can see the redirect_uri is incorrect as it doesn’t contain the 5001 port any more. If you do continue and authorize the github app, you are redirected of course to the redirect uri it will fail with a generic connection refused because there is nothing listening on localhost at all.

I’m not sure how the port forwarding mechanism works but it seems to be redirect_uri should be set to the [guid]-5001.apps.codespaces.githubusercontent.com/ uri or perhaps localhost:5001, but definitely not just localhost.

If I clone my repo and run it locally with dotnet watch run everything works as expected.

For completeness, the oauth provider creating by Microsoft is using this line to determine the redirect_uri: https://github.com/dotnet/aspnetcore/blob/735d4112c786ca33588738c47d99b76bf7455fc8/src/Security/Authentication/Core/src/AuthenticationHandler.cs#L176.

@srkirkland the port forwarding implementation does support X-Forwarded headers so you will need to configure the app accordingly to this recommendation: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-3.1#forwarded-headers-middleware-order In this case the X-Horwarded-Host header will be set to the original host value of the PFS Url.