Quick side story first: We just identified an issue with our chatbot VirtoOZ - it can’t identify a tenant when the URL has a different scheme (e.g., http instead of https). The reason is that we compare strictly by origin of the JWT token, which is correct: per the WHATWG URL Standard §3.2, “An origin is the triple (scheme, host, port). Two origins are equal only if all three components match.” The only safe workaround would be an extra request to follow the http → https redirect - and we’d need to do that well before any real call to the tenant.
That led us to the root cause. If
ASPNETCORE_FORWARDEDHEADERS_ENABLED: true
isn’t set, the platform has no idea it’s sitting behind an ingress that serves HTTPS - it assumes plain HTTP. Two things fall out of that:
1. The JWT token issuer ends up with an http scheme. That violates the OIDC spec, which requires https. It’s also exactly what tripped VirtoOZ - the issuer origin no longer matches what we have.
2. Every URL built from the platform origin uses http. Links, callbacks, references - all of them pick up an extra redirect hop on the way to the real HTTPS endpoint.
We recommend to enable it for every platform deployment in VirtoCloud.