I am building a .net core application which uses ForgeRock OpenAM as authorization/authentication provider.
I have succesfully set up the client and I am able to login, but after login openam tries to redirect me through a javascript, but the javascript cannot be loaded because the URL is http and the rest of the URLS are https.
I am using the OpenID connect protocol.
This is my configuration:
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect("oauth", options =>
{
options.ClientSecret = "SomeVerySecretKey";
options.ClientId = "account";
options.MetadataAddress = "https://some.nice.site/openam/oauth2/.well-known/openid-configuration";
options.CallbackPath = "/signin-oidc";
options.Authority = "https://some.nice.site/openam/oauth2";
options.ResponseType = "code";
options.GetClaimsFromUserInfoEndpoint = true;
options.Configuration = new OpenIdConnectConfiguration()
{
AuthorizationEndpoint = "https://some.nice.site/openam/oauth2/authorize",
TokenEndpoint = "https://some.nice.site/openam/oauth2/access_token",
UserInfoEndpoint = "https://some.nice.site/openam/oauth2/userinfo",
};
}
);
My hunch is that this might be a setting in openam, but i cannot find it (we are using openam 6.5.3)
the message my browser sends to me is:
authorize:1
Mixed Content: The page at 'https://some.very.nice.site/openam/oauth2/authorize?client_id=account&redirect_uri=some_secret_uri&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0' was loaded over HTTPS, but requested an insecure script 'http://logint.delta.nl/openam/XUI/main-authorize.js'. This request has been blocked; the content must be served over HTTPS.
The issue was in the load balancer.