I host Squidex on my own server.
I have a web server and application server. I have an ssl certificate installed on my web server. With the ARR configuration here, I transfer the incoming requests to the application server as http. Actually Squidex is running as http in the background. But when this happens, the user cannot login. The http and https confusion becomes a problem.
Since I can’t install an ssl certificate on the application server, I can’t run both sides as https.
Since the /openid-configuration part on the identity side serves over http, it does not come when called over https, or there is a conflict between the baseUrl and the background url when trying to login.
On 6.4.0 the same configuration worked. From 6.6.0 onward it does not work.
We are using apache that also uses let’s encrypt to generate the SSL certificate.
We have an exception when forcing http to https due to the way letsencrypt works.
The exception is on “.well-known” request path. This request path does not force https.
The main problem is that the window popup (for login) opens and closes automatically and it is almost impossible to check what was being called.
A further investigation showed that the endpoint “https://somedomain.com/identity-server/.well-known/openid-configuration” was being called. Since 200 OK was returned it was not obvious that the response was not the OIDC standard response (the JSON with all open id connect endpoints and details).
The problem was not on Squidex. The redirect exception rule was rewritten ant the problem was solved.