System.InvalidOperationException: Multiple Location headers were detected. This is possibly because you have remote authentication as the default scheme. Consider short circuiting the YARP requests or disabling default scheme.

[htmlsplash]

All,

I have encountered a problem with my setup.

My Setup:

We use Strangler fig pattern to migrate our legacy web forms application to asp.net Core Blazor application.
For this we use:
Yarp - Proxy requests to legacy webforms app
Web Adapters - For porting code, and setup remote client authentication

When an unauthenticated user clicks on a link in the Blazor application that refers to a protected page in Webforms application, Yarp will forward this request to the webforms application but since the user is not authenticated, there will be a redirect to the login page. During this redirect the following exception is thrown because Yarp and System Webadapters set the location header which causes Kestrel to blow up:

fail: Microsoft.AspNetCore.Server.Kestrel[13] Connection id "0HNKKP0JMDQLS", Request id "0HNKKP0JMDQLS:00000005": An unhandled exception was thrown by the application. System.InvalidOperationException: Multiple Location headers were detected. This is possibly because you have remote authentication as the default scheme. Consider short circuiting the YARP requests or disabling default scheme. at Microsoft.AspNetCore.SystemWebAdapters.Authentication.RemoteAppAuthenticationAuthHandler.<>c.<GetRemoteAppAuthenticationResultAsync>b__5_0(Object state) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<FireOnStarting>g__ProcessEvents|240_0(HttpProtocol protocol, Stack1 events)
warn: Yarp.ReverseProxy.Forwarder.HttpForwarder[48]
ResponseBodyClient: The client reported an error when copying the response body.
System.ObjectDisposedException: The response has been aborted due to an unhandled application exception.
---> System.InvalidOperationException: Multiple Location headers were detected. This is possibly because you have remote authentication as the default scheme. Consider short circuiting the YARP requests or disabling default scheme.
at Microsoft.AspNetCore.SystemWebAdapters.Authentication.RemoteAppAuthenticationAuthHandler.<>c.b__5_0(Object state)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.g__ProcessEvents|240_0(HttpProtocol protocol, Stack1 events) --- End of inner exception stack trace --- at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.FirstWriteAsyncInternal(ReadOnlyMemory1 data, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.WritePipeAsync(ReadOnlyMemory1 data, CancellationToken cancellationToken) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponsePipeWriter.WriteAsync(ReadOnlyMemory1 source, CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseStream.WriteAsync(ReadOnlyMemory1 source, CancellationToken cancellationToken) at Microsoft.AspNetCore.Watch.BrowserRefresh.ResponseStreamWrapper.WriteAsync(ReadOnlyMemory1 buffer, CancellationToken cancellationToken) in /_3/ResponseStreamWrapper.cs:line 92
at Microsoft.WebTools.BrowserLink.Net.ResponseStreamWrapper.WriteAsync(ReadOnlyMemory1 buffer, CancellationToken cancellationToken) at Yarp.ReverseProxy.Forwarder.StreamCopier.CopyAsync(Stream input, Stream output, Int64 promisedContentLength, StreamCopierTelemetry telemetry, ActivityCancellationTokenSource activityToken, Boolean autoFlush, CancellationToken cancellation) fail: Microsoft.AspNetCore.Server.Kestrel[13] Connection id "0HNKKP0JMDQLS", Request id "0HNKKP0JMDQLS:00000005": An unhandled exception was thrown by the application. System.ObjectDisposedException: The response has been aborted due to an unhandled application exception. ---> System.InvalidOperationException: Multiple Location headers were detected. This is possibly because you have remote authentication as the default scheme. Consider short circuiting the YARP requests or disabling default scheme. at Microsoft.AspNetCore.SystemWebAdapters.Authentication.RemoteAppAuthenticationAuthHandler.<>c.<GetRemoteAppAuthenticationResultAsync>b__5_0(Object state) at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<FireOnStarting>g__ProcessEvents|240_0(HttpProtocol protocol, Stack1 events)
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.InitializeResponseAsync(Int32 firstWriteByteCount)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.FlushPipeAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseStream.FlushAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Watch.BrowserRefresh.ResponseStreamWrapper.DisposeAsync() in /_3/ResponseStreamWrapper.cs:line 195
at Microsoft.AspNetCore.Watch.BrowserRefresh.BrowserRefreshMiddleware.InvokeAsync(HttpContext context) in /_3/BrowserRefreshMiddleware.cs:line 59
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication1 application)

Here's my Program.cs file for setting up web adapters/Yarp:

builder.Services.AddSystemWebAdapters()   
    .AddRemoteAppClient(options =>
    {
        options.RemoteAppUrl = new(builder.Configuration["ProxyTo"]);
        options.ApiKey = builder.Configuration["RemoteAppApiKey"];
    })
    .AddAuthenticationClient(isDefaultScheme: true);

builder.Services.AddHttpForwarder();

app.UseSystemWebAdapters();

app.MapForwarder("/{**catch-all}", app.Configuration["ProxyTo"])
    .Add(static builder => ((RouteEndpointBuilder)builder).Order = int.MaxValue);`

I understand what the exception says but I am not sure of the "best" work around.
NOTE:
I still need to have "AddAuthenticationClient(isDefaultScheme: true)" be set to true because that's what populates my Identity object in the asp.net core application.

What is the best/recommended way to solve this problem?

[twsouthwick]

Try the following:

builder.Services.AddSystemWebAdapters()   
    .AddRemoteAppClient(options =>
    {
        options.RemoteAppUrl = new(builder.Configuration["ProxyTo"]);
        options.ApiKey = builder.Configuration["RemoteAppApiKey"];
    })
    .AddAuthenticationClient(isDefaultScheme: true);

builder.Services.AddHttpForwarder();

app.UseSystemWebAdapters();

app.MapForwarder("/{**catch-all}", app.Configuration["ProxyTo"])
-  .Add(static builder => ((RouteEndpointBuilder)builder).Order = int.MaxValue);
+  .Add(static builder => ((RouteEndpointBuilder)builder).Order = int.MaxValue)
+  .ShortCircuit();

[htmlsplash]

Thank you for quick response.

So there are couple of issues with the suggestion:
.Add() returns a void, so you cannot method chain it.
I moved the ShortCircuit() call up, applied the call to/after MapForwarder(), but that made no difference, I receive the same exception.

app.MapForwarder("/{**catch-all}", proxyTo) .ShortCircuit() .Add(static builder => ((RouteEndpointBuilder)builder).Order = int.MaxValue);

By looking at the implementation of ShortCicruit, it only handles a small sample of status codes:

200
401
404

I am dealing with a 302, temp redirect, because in webforms when you access a protected resource you are going to be redirect to a login page.

[twsouthwick]

By looking at the implementation of ShortCicruit, it only handles a small sample of status codes:
200
401
404

What that's doing is lets you set the response code if you want. We're not setting it to anything so it's a noop.

I think I'd need a repro to see more of what's happening.

Did you see the sample in the repo? I've fixed it up on a current PR so take a look here if you haven't: https://github.com/dotnet/systemweb-adapters/tree/build-full-solution/samples/WebFormsToBlazor

[htmlsplash]

Thank you for your help. I will have a look at this next Tues. I don't mind making a repo if I need to... Its basically Blazor page with a link to webforms app page that is protected by login page.

[htmlsplash]

I looked at the sample, not really relevant, could not build the solution btw. Nevertheless, I added repo that you can use to reproduce the error.

1. Go to: https://github.com/htmlsplash/BlazorWebAppTest
2. Clone it
3. Solution should be configured to start both projects simultaneously (BlazorWebAppTest, WebFormsApplication1)
4. The default Blazor home page (Components/Pages/Home.razor) should load, and you should see a link: Access Protected Webforms Page.
5. Click on the link, observe duplicate Location headers exception: One location is added by system webadapters and the other is added by redirect to login, and that's why Kestrel blows up with 2 URLs for single location header.

Configuration:

• All I have enabled is authentication in System Webadapters.
• appsettings.json contains the webforms url/key to use, and web.config contains the same key for webforms app.
• System webadapters code is in Program.cs, and Global.asax (code behind)
• If you need to login in the webforms app, any user name/password will do, I just return authenticated=true

Let me know if you need anything more.