Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Respect X-Forwarded-Proto header in OpenIdAuthenticationMechanism #6653

Closed
kapinyajudit opened this issue Apr 25, 2024 · 3 comments
Closed

Enhancement: Respect X-Forwarded-Proto header in OpenIdAuthenticationMechanism #6653

kapinyajudit opened this issue Apr 25, 2024 · 3 comments
Assignees
@felixif

Comments

@kapinyajudit
Copy link

kapinyajudit commented Apr 25, 2024
edited
Loading

Brief Summary

We have a Java web application using OIDC authentication, running on Payara 6 in a Dockerized environment, deployed to Azure as an AppService. The application runs internally with HTTP while Azure converts incoming traffic to HTTPS. Payara Security compares the incoming request URL directly with the configured URL, leading to a mismatch due to protocol differences. Azure adds the X-Forwarded-Proto header to the request indicating that originally it was HTTPS, but Payara does not respect that.

Expected Outcome

The OpenIdAuthenticationMechanism should accurately compare request URLs with configured OIDC Redirect URLs, respecting the X-Forwarded-Proto header.

Current Outcome

"OpenID Redirect URL https://my-url does not match with the request URL http://my-url" is logged and user is not authenticated.

Alternatives

Instead of

 if (!request.getRequestURL().toString().equals(redirectURI)) {

I propose a more sophisticated solution that respects the X-Forwarded-Proto header:

    private boolean isRequestURLMatching(HttpServletRequest request, String redirectURI) {
        String forwardedProto = request.getHeader("X-Forwarded-Proto");
        String requestURL = request.getRequestURL().toString();

        // If the request is forwarded via HTTPS, adjust requestURL
        if ("https".equalsIgnoreCase(forwardedProto)) {
            requestURL = "https://" +
                    request.getServerName() +
                    (request.getServerPort() != 80 && request.getServerPort() != 443 ? ":" + request.getServerPort() : "") +
                    request.getRequestURI();
        }

        return requestURL.equals(redirectURI);
    }

Context

No response
@kapinyajudit kapinyajudit added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Enhancement Label issue as an enhancement request labels Apr 25, 2024
@felixif
Copy link

felixif commented May 14, 2024

Hello @kapinyajudit,

Thank you for reporting this issue. As you already have a proposed solution for this issue, could you please create a PR that our engineering team will analyse? Thank you in advance, and I apologise for answering this late to this issue.

Best regards,
Felix

@felixif felixif added Status: Pending Waiting on the issue requester to give more details or share a reproducer and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels May 14, 2024
@github-actions github-actions bot added Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back and removed Type: Enhancement Label issue as an enhancement request Status: Pending Waiting on the issue requester to give more details or share a reproducer labels May 20, 2024
@github-actions GitHub Actions
Copy link

Greetings,
It's been more than 5 days since we requested more information or an update from you on the details of this issue. Could you provide an update soon, please?
We're afraid that if we do not receive an update, we'll have to close this issue due to inactivity.

@github-actions GitHub Actions
Copy link

Greetings,
It's been more than 5 days since this issue was identified as abandoned.
We have closed this issue due to inactivity, please feel free to re-open it if you have more information to share.

@github-actions github-actions bot removed the Status: Abandoned User has not supplied reproducers for bug report, soon to be closed if user doesn’t come back label May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@felixif felixif

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kapinyajudit @felixif