Blazor cookie authentication on OpenShift

Question

I am building a Blazor server application with cookie authentication. My issue started when I tried to deploy the application on a OpenShift cluster, for some reason after I am sending a post request to the LoginController I am getting a 502 for which I am unable to find the root cause.

From what I can figure the problem comes from this part of the LoginController code:

        await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, claimsPrincipal,
            new AuthenticationProperties
            {
                IsPersistent = true,
                ExpiresUtc = DateTime.UtcNow.AddMinutes(15),
                RedirectUri = Request.Host.Value
            });

        _logger.LogDebug("{User} Login succeeded, returning to ~/", userCredentials.UserName);
        return LocalRedirect("~/");

After the SignInAsync call I should be redirected to the root page (/) and the cookie should available in the browser, instead I am getting a 502 from the OpenShift reverse proxy.

If I am trying to login with wrong credentials I am correctly redirected back to the Blazor page, due to this part of the code:

    catch (LdapException ex)
    {
        _logger.LogWarning(ex, "Error during user {User} login", userCredentials.UserName);
        return LocalRedirect($"/login/{ex.Message}");
    }

Is there something I am missing here?

To note is the fact that login works correctly if the app is not deployed on the OpenShift cluster and I am running it on a bare-metal server. Also, when running on OpenShift blazor is running without TLS and the OpenShift reverse proxy is performing TLS termination.

Some logs:

[13:10:01  DBG] App.Web.Controllers.LoginController user begins LDAP authentication 
[13:10:02  DBG] App.Web.Controllers.LoginController user Login succeeded, returning to ~/ 
[13:10:02  INF] Microsoft.AspNetCore.Hosting.Diagnostics Request finished HTTP/1.1 POST http://App-web.local/account/login  application/x-www-form-urlencoded 48 - 302 0 - 1606.0515ms 
[13:10:02  INF] Microsoft.AspNetCore.Hosting.Diagnostics Request starting HTTP/1.1 POST http://App-web.local/_blazor/disconnect  multipart/form-data;+boundary=----WebKitFormBoundaryYJAnJGTBs1TxweH8 359 
[13:10:02  INF] Microsoft.AspNetCore.Hosting.Diagnostics Request finished HTTP/1.1 GET http://App-web.local/_blazor?id=eUuhkFBn2VEoRiiYw8Dt0w  - - - 101 - - 15035.0050ms 
[13:10:02  INF] Microsoft.AspNetCore.Hosting.Diagnostics Request finished HTTP/1.1 POST http://App-web.local/_blazor/disconnect  multipart/form-data;+boundary=----WebKitFormBoundaryYJAnJGTBs1TxweH8 359 - 200 0 - 12.9394ms 

The OpenShift route is configured as:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/set-forwarded-headers: append
  name: app-web
  labels:
    name: app-web
spec:
  port:
    targetPort: 8080
  tls:
    insecureEdgeTerminationPolicy: Allow
    termination: edge
  to:
    kind: Service
    name: app-web-service
    weight: 100
  wildcardPolicy: None

Service definition is:

apiVersion: v1
kind: Service
metadata:
  name: app-web-service
  labels:
    app: app-web
spec:
  ports:
  - port: 8080
    targetPort: 8080
    name: "http"
  selector:
    app: app-web
  sessionAffinity: ClientIP
  type: ClusterIP

I've also tried to enable X-Forwarded headers:

if (string.Equals(
    Environment.GetEnvironmentVariable("ASPNETCORE_FORWARDEDHEADERS_ENABLED"),
    "true", StringComparison.OrdinalIgnoreCase))
{
    services.Configure<ForwardedHeadersOptions>(options =>
    {
        options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
            ForwardedHeaders.XForwardedProto;
        // Only loopback proxies are allowed by default.
        // Clear that restriction because forwarders are enabled by explicit 
        // configuration.
        options.KnownNetworks.Clear();
        options.KnownProxies.Clear();
    });
}