I am currently in the process of switching my wife’s eshop from Azure App Services to Azure Container Apps. The site itself using Facebook Authentication and whilst testing the new version I recently encountered a perplexing issue where the Facebook Authentication was not working.
The Facebook page was returning an error message repeatedly surfaced: “Insecure login blocked – You can’t get an access token or log in to this app from an insecure page. Try reloading the page as https://”. This was happening even though my app was hosted using HTTPS.
I spent some time trying to figure out the issue by performing various searches on google. Initially I couldn’t find a solution to this, however, at some point I found a GitHub issue (https://github.com/microsoft/azure-container-apps/issues/97) that shed light on the root cause of the problem – missing configuration for the forwarding of headers to let the app know that it is in fact hosted on HTTPS.
The solution to this issue is to enable header forwarding for the container app and to configure the Forwarded Headers middleware in ASP.Net. This can be achieved by performing the following steps:
- Enable Header Forwarding in Azure Container Apps: The first step involves adding a crucial environment variable,
ASPNETCORE_FORWARDEDHEADERS_ENABLED=true, either directly in the Dockerfile or in the Azure Container Apps container configuration. This setting instructs the container app to forward headers appropriately, ensuring the correct transmission of information during the authentication process.
- Integrate Forwarded Headers Middleware: To complement the environment variable configuration, it’s essential to add
app.UseForwardedHeaders();in the application builder. This middleware facilitates the processing of forwarded headers, resolving issues related to incorrect redirect URLs and, in turn, mitigating the Facebook authentication error.
Once these steps have been implemented the login page starts sending the correct https url to the Facebook endpoint which enables successful Facebook authentication.