Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper PGADMIN4 redirect URI #7389

Open
shantanumitra62 opened this issue Apr 17, 2024 · 16 comments
Open

Improper PGADMIN4 redirect URI #7389

shantanumitra62 opened this issue Apr 17, 2024 · 16 comments

Comments

@shantanumitra62
Copy link

shantanumitra62 commented Apr 17, 2024
edited

Hi Team,
We are using PGadmin(Image:7.4) behind a load balancer running on AKS cluster and we are terminating ssl at the load balancer so the requests are reaching on port80 , now we want to configure OIDC but the redirect url still contains port 80 like this:
https://server:80/pgadmin4/oauth2-header/oauth2-header
We have already set the http request header X-Scheme to "https" and in addition X-forwarded-port to "443", but this seems to have no effect so can you please have a look at this and let us know which header or property should we set to achieve a redirect uri without port number
@adityatoshniwal
Copy link
Contributor

Hi @shantanumitra62,
v7.4 is quite old and we don't support it. Please try on the latest v8.5 once.

@shantanumitra62
Copy link
Author

Hi Team,
We have upgraded the PgAdmin to the latest 8.5 version image, but still we see the same redirect error.
The redirect url still looks like this : https://server:80/pgadmin4/oauth2-header/oauth2-header, with port 80 in the server name.
We are not sure from where this port 80 is coming and we want to get rid of this port 80 in our redirect url.

Please help us on this.

@shantanumitra62 shantanumitra62 removed their assignment Apr 19, 2024
@shantanumitra62
Copy link
Author

Hi Team, hi @akshay-joshi ,
Can you please help me with the issue, I have updated to the newer version of image and still see the same error.
Awaiting response from you.

Regards
Shantanu

@khushboovashi
Copy link
Contributor

Hi @shantanumitra62, what is the oauth2-header in your URL ( https://server:80/pgadmin4/oauth2-header/oauth2-header) ?
Please provide your configuration file to further investigate.

@shantanumitra62
Copy link
Author

shantanumitra62 commented Apr 24, 2024
edited

Hi @khushboovashi ,
Here is the config which we are using:

'OAUTH2_NAME': '',
'OAUTH2_DISPLAY_NAME': '',
'OAUTH2_CLIENT_ID': os.environ['OAUTH2_CLIENT_ID'],
'OAUTH2_CLIENT_SECRET': os.environ['OAUTH2_CLIENT_SECRET'],
'OAUTH2_TOKEN_URL': 'https://sso-int.sensitive-data.com/as/token.oauth2',
'OAUTH2_AUTHORIZATION_URL': 'https://sso-int.sensitive-data.com/as/authorization.oauth2',
'OAUTH2_API_BASE_URL': 'https://sso-int.sensitive-data.com',
'OAUTH2_SCOPE': 'openid email profile',
'OAUTH2_SERVER_METADATA_URL': 'https://sso-int.sensitive-data.com/.well-known/openid-configuration',
'OAUTH2_USERINFO_ENDPOINT': 'https://sso-int.sensitive-data.com/idp/userinfo.openid',
'OAUTH2_SSL_CERT_VERIFICATION': True,
'OAUTH2_BUTTON_COLOR': '#0000ff',

@khushboovashi
Copy link
Contributor

@shantanumitra62, send me the entire config file.

@shantanumitra62
Copy link
Author

Hi @khushboovashi ,
Can you please help me to understand what exactly you mean when you refer the entire config file?
We are following the examples from this official page:
https://github.com/rowanruseler/helm-charts/blob/main/charts/pgadmin4/examples/add-oauth2-config.yaml

and we are doing exactly the same, so as per this link the config-map is the configuration file which I have shared it with you. Can you please suggest now

@shantanumitra62 shantanumitra62 removed their assignment Apr 30, 2024
@adityatoshniwal
Copy link
Contributor

Hi @shantanumitra62,
This doesn't look like a pgAdmin issue but more on the load balancer config. Try to run pgAdmin with simply oauth2 without any nodes in between.
Can you also try tweaking below config variables?


# Reverse Proxy parameters
# You must tell the middleware how many proxies set each header
# so it knows what values to trust.
# See https://tinyurl.com/yyg7r9av
# for more information.

# Number of values to trust for X-Forwarded-For
PROXY_X_FOR_COUNT = 1

# Number of values to trust for X-Forwarded-Proto.
PROXY_X_PROTO_COUNT = 1

# Number of values to trust for X-Forwarded-Host.
PROXY_X_HOST_COUNT = 0

# Number of values to trust for X-Forwarded-Port.
PROXY_X_PORT_COUNT = 1

# Number of values to trust for X-Forwarded-Prefix.
PROXY_X_PREFIX_COUNT = 0

@shantanumitra62
Copy link
Author

Hi @adityatoshniwal ,
Thanks for your response, we tweaked the above suggested values but there is no change in redirect uri, it still adds the port 80 when we set "X-Scheme" header value to "https".
Please suggest now.

@shantanumitra62
Copy link
Author

Hi @khushboovashi @adityatoshniwal ,
Can you please update us on this issue as we are stuck badly.
the oauth2-header in our URL ( https://server:80/pgadmin4/oauth2/authorize)

@khushboovashi
Copy link
Contributor

@shantanumitra62, the redirect URL should be configured at the Oauth2 provider site. Can you share a screenshot of your OIDC provider settings?

@shantanumitra62
Copy link
Author

Hi @khushboovashi,
Thanks for letting us know. Surely we are aware of this, but the problem is something else.
1> We have followed the official gitHub documentation to configure oauth2 authorization from this link:
https://github.com/rowanruseler/helm-charts/blob/main/charts/pgadmin4/examples/add-oauth2-config.yaml

So based on the above configuration I have already provided the configuration parameters we are creating using configmap with the file config_local.py with these values:
'OAUTH2_NAME': '',
'OAUTH2_DISPLAY_NAME': '',
'OAUTH2_CLIENT_ID': os.environ['OAUTH2_CLIENT_ID'],
'OAUTH2_CLIENT_SECRET': os.environ['OAUTH2_CLIENT_SECRET'],
'OAUTH2_TOKEN_URL': 'https://sso-int.sensitive-data.com/as/token.oauth2',
'OAUTH2_AUTHORIZATION_URL': 'https://sso-int.sensitive-data.com/as/authorization.oauth2',
'OAUTH2_API_BASE_URL': 'https://sso-int.sensitive-data.com/',
'OAUTH2_SCOPE': 'openid email profile',
'OAUTH2_SERVER_METADATA_URL': 'https://sso-int.sensitive-data.com/.well-known/openid-configuration',
'OAUTH2_USERINFO_ENDPOINT': 'https://sso-int.sensitive-data.com/idp/userinfo.openid',
'OAUTH2_SSL_CERT_VERIFICATION': True,
'OAUTH2_BUTTON_COLOR': '#0000ff',

Now that we have provided the values to configure oauth2 authentication, the pgadmin redirects us to the oidc provider login page for authentication but here the pgadmin application instead of providing us with the proper redirect uri which in our case should be
https://hostname/pgadmin4/oauth2/authorize
gives us this redirect uri:
https://hostname:80/pgadmin4/oauth2/authorize
as you can see that port80 is getting added to our URI which makes it an improper redirect URI.
So our question was what can be chnaged or tweaked so that we get the proper redirect URI.

Please note: pgAdmin is hosted behind our Load Balancer and we are passing a header "X-Scheme = https" explicitly to specify the requester that the request is served over HTTPS.

@khushboovashi
Copy link
Contributor

Hi @shantanumitra62, we can schedule a screen-sharing session between 10 AM to 5 PM IST. Share the link to join.

@shantanumitra62
Copy link
Author

Thank you @khushboovashi for the screen sharing offer, surely let me discuss with my team on this and I will get back to you.

@shantanumitra62
Copy link
Author

HI @adityatoshniwal @khushboovashi ,
Can you please share your official email id of yours and concerned members so that we can share the official meeting invite with you all.

Regards
Shan

@yogeshmahajan-1903
Copy link
Contributor

@shantanumitra62
You can send invite to pgadmin-support@postgresql.org

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Not Refined
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@khushboovashi @yogeshmahajan-1903 @adityatoshniwal @shantanumitra62