Has something changed with backoffice logins in 17?
I have setup my test site on my raspberry pi (behind a Pangolin/newt proxy) however I can’t get to the login screen, I get the following error
error:invalid_request
error_description:This server only accepts HTTPS requests.
error_uri:https://documentation.openiddict.com/errors/ID2083
My 16.2 site I can log in fine
HTTPS is enabled by default
The default value of the UseHttps configuration in Global Settings has been changed from false to true.
If you need to run Umbraco without HTTPS, make sure to update appsettings.json accordingly.
Authentication for the backoffice client
Following the draft Request for Comments (RFC) from the Internet Engineering Task Force (IETF), the backoffice client authentication has been changed to tighten security.
This change affects only the backoffice client authentication against the Management API. API user authentication against the Management API remains unaffected, as does the Delivery API.
This change might affect custom backoffice extensions that interact with the Management API. All fetch requests to the Management API must include credentials by declaring credentials: 'include'.
By default, backoffice extensions built using the HQ package starter template are not affected.
For more details on this update, see the following PRs: #20779 and #20820.
Setting UseHttps to false let’s me in to the backoffice, but in pre 17 versions I had it set to true anyway, and had no issues getting in to the backoffice.
That UseHttps change in v17 caught me off guard too! It makes sense from a security standpoint, but it definitely adds a hurdle for local dev or proxy setups like yours. Glad you found the setting in appsettings - It’ll definitely save someone else a few hours of head-scratching!
Should mitigate some of the local dev hurdles?
Run dotnet dev-certs https to generate or check the self-signed localhost developer certificate for HTTPS in ASP.NET Core apps. Use dotnet dev-certs https --trust to trust it on your machine, avoiding browser warnings during local development.learn.microsoft+1
dotnet dev-certs https: Checks for an existing certificate; creates one if absent (in CurrentUser\My store).learn.microsoft+1dotnet dev-certs https --trust: Adds the certificate to trusted roots (may prompt for confirmation).learn.microsoft+1dotnet dev-certs https --clean: Removes all dev certificates if needed before reinstalling.learn.microsoft+1I have a site behind an IISARR Proxy, i can’t figure out what to do
i have play’d around this role, but it seams to have no effect.
IISARR is sending them to the site in the header.
<rule name="Add X-Forwarded-Proto" stopProcessing="true"> <match url=".*" /> <serverVariables> <set name="HTTP_X_FORWARDED_PROTO" value="https" /> <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" /> </serverVariables> <action type="None" /> </rule>
have allso try’d add BackOfficeHost to Security in appsettings.json, no result
“Security”: {
“AllowConcurrentLogins”: false,
“BackOfficeHost”: “https://[domainname]”
}
Anybody seeing the right tree in the forrest 