Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Respect X-Forwarded-Proto header in OpenIdAuthenticationMechanism #6653

Open
kapinyajudit opened this issue Apr 25, 2024 · 0 comments
Open

Enhancement: Respect X-Forwarded-Proto header in OpenIdAuthenticationMechanism #6653

kapinyajudit opened this issue Apr 25, 2024 · 0 comments
Assignees
@felixif
Labels
Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Enhancement Label issue as an enhancement request

Comments

@kapinyajudit
Copy link

kapinyajudit commented Apr 25, 2024
edited

Brief Summary

We have a Java web application using OIDC authentication, running on Payara 6 in a Dockerized environment, deployed to Azure as an AppService. The application runs internally with HTTP while Azure converts incoming traffic to HTTPS. Payara Security compares the incoming request URL directly with the configured URL, leading to a mismatch due to protocol differences. Azure adds the X-Forwarded-Proto header to the request indicating that originally it was HTTPS, but Payara does not respect that.

Expected Outcome

The OpenIdAuthenticationMechanism should accurately compare request URLs with configured OIDC Redirect URLs, respecting the X-Forwarded-Proto header.

Current Outcome

"OpenID Redirect URL https://my-url does not match with the request URL http://my-url" is logged and user is not authenticated.

Alternatives

Instead of

 if (!request.getRequestURL().toString().equals(redirectURI)) {

I propose a more sophisticated solution that respects the X-Forwarded-Proto header:

    private boolean isRequestURLMatching(HttpServletRequest request, String redirectURI) {
        String forwardedProto = request.getHeader("X-Forwarded-Proto");
        String requestURL = request.getRequestURL().toString();

        // If the request is forwarded via HTTPS, adjust requestURL
        if ("https".equalsIgnoreCase(forwardedProto)) {
            requestURL = "https://" +
                    request.getServerName() +
                    (request.getServerPort() != 80 && request.getServerPort() != 443 ? ":" + request.getServerPort() : "") +
                    request.getRequestURI();
        }

        return requestURL.equals(redirectURI);
    }

Context

No response
@kapinyajudit kapinyajudit added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Enhancement Label issue as an enhancement request labels Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@felixif felixif

Labels
Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Enhancement Label issue as an enhancement request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kapinyajudit @felixif