Incorrectly redirects on login via nginx reverse proxy

[qcaas-nhs-sjt]

When we login to ATLAS, we are redirected to Entra ID and can login, once we are redirected back to the port that the server is run on rather than the proxy.

In our implementation of Atlas with WebAPI running on kubernetes, we are utilising Microsoft Entra ID to provide authentication. In our configuration, Atlas is configured as follows:

var getUrl = window.location;
webapi_url = getUrl.protocol + "//" + getUrl.hostname + "/WebAPI/";

// WebAPI
configLocal.api = {
   name: 'ATLAS',
   url: webapi_url
};

and our API Server is configured as follows:

        - name: DATASOURCE_DRIVERCLASSNAME
          value: org.postgresql.Driver
        - name: DATASOURCE_OHDSI_SCHEMA
          value: webapi
        - name: DATASOURCE_PASSWORD
          valueFrom:
            secretKeyRef:
              key: db-password
              name: ohdsi
        - name: DATASOURCE_URL
          value: jdbc:postgresql://****.postgres.database.azure.com:5432/ohdsi
        - name: DATASOURCE_USERNAME
          value: ***@***.postgres.database.azure.com
        - name: FLYWAY_BASELINEDESCRIPTION
          value: Base Migration
        - name: FLYWAY_BASELINEONMIGRATE
          value: "true"
        - name: FLYWAY_DATASOURCE_DRIVERCLASSNAME
          value: org.postgresql.Driver
        - name: FLYWAY_DATASOURCE_PASSWORD
          valueFrom:
            secretKeyRef:
              key: db-password
              name: ohdsi
        - name: FLYWAY_DATASOURCE_URL
          value: jdbc:postgresql://***.postgres.database.azure.com:5432/ohdsi
        - name: FLYWAY_DATASOURCE_USERNAME
          value: ***@***.postgres.database.azure.com
        - name: FLYWAY_LOCATIONS
          value: classpath:db/migration/postgresql
        - name: FLYWAY_PLACEHOLDERS_OHDSISCHEMA
          value: webapi
        - name: FLYWAY_SCHEMAS
          value: webapi
        - name: FLYWAY_TABLE
          value: schema_history
        - name: SECURITY_CORS_ENABLED
          value: "true"
        - name: SECURITY_ORIGIN
          value: http://127.0.0.1
        - name: SPRING_BATCH_REPOSITORY_TABLEPREFIX
          value: webapi.BATCH_
        - name: SPRING_JPA_PROPERTIES_HIBERNATE_DEFAULT_SCHEMA
          value: webapi
        - name: SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT
          value: org.hibernate.dialect.PostgreSQLDialect
        - name: flyway_baselineVersionAsString
          value: 2.2.5.20180212152023
        - name: SECURITY_PROVIDER
          value: AtlasRegularSecurity
        - name: SECURITY_OID_ENABLED
          value: "true"
        - name: SECURITY_OID_CLIENTID
          value: ***
        - name: SECURITY_OID_APISECRET
          valueFrom:
            secretKeyRef:
              key: ohdsi-appreg-client-secret
              name: ohdsi
        - name: SECURITY_OID_URL
          value: https://login.microsoftonline.com/***/v2.0/.well-known/openid-configuration
        - name: SECURITY_SSL_ENABLED
          value: "true"
        - name: JAVA_OPTS
          value: -Dserver.ssl.enabled=true -Dserver.ssl.key-store=/mnt/keystore/keystore.jks
            -Dserver.ssl.keyStoreType=JKS -Dserver.ssl.key-alias=tomcat -Dserver.ssl.key-store-password=***
            -Dserver.ssl.key-password=Ref4ct0r -Dserver.port=8080 -Dsecurity.oid.redirectUrl=https://sandbox-ohdsi.xlscsde.nhs.uk/atlas/#/welcome
            -Dsecurity.oauth.callback.api=https://sandbox-ohdsi.xlscsde.nhs.uk/WebAPI/user/oauth/callback
            -Dsecurity.oauth.callback.ui=https://sandbox-ohdsi.xlscsde.nhs.uk/atlas/#/welcome
            -Dsecurity.oauth.callback.urlResolver=query -Dshiro.successUrl=https://sandbox-ohdsi.xlscsde.nhs.uk/WebAPI/user/login/openid?redirectUrl=/home

https://sandbox-ohdsi.xlscsde.nhs.uk/atlas/#/home Our ingress configuration is as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    meta.helm.sh/release-name: ohdsi
    meta.helm.sh/release-namespace: ohdsi
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/upstream-vhost: sandbox-ohdsi.xlscsde.nhs.uk:8080
    xlscsde.nhs.uk/dns-record: ohdsi
  labels:
    app.kubernetes.io/managed-by: Helm
    helm.toolkit.fluxcd.io/name: ohdsi
    helm.toolkit.fluxcd.io/namespace: ohdsi
  name: ohdsi-webapi
  namespace: ohdsi
spec:
  ingressClassName: nginx
  rules:
  - host: sandbox-ohdsi.xlscsde.nhs.uk
    http:
      paths:
      - backend:
          service:
            name: ohdsi-webapi
            port:
              number: 8080
        path: /WebAPI
        pathType: Prefix
  tls:
  - hosts:
    - sandbox-ohdsi.xlscsde.nhs.uk
    secretName: sandbox-ohdsi.xlscsde.nhs.uk-tls

Atlas loads fine and can talk to the web api without incident, however when we login it redirects us in the wrong direction

Expected behavior

After login via oid we should be redirected to

https://sandbox-ohdsi.xlscsde.nhs.uk/WebAPI/user/oauth/callback

this should then redirect us to:

https://sandbox-ohdsi.xlscsde.nhs.uk/WebAPI/user/login/openid?redirectUrl=/home

Actual behavior

After login via oid we should be redirected to

https://sandbox-ohdsi.xlscsde.nhs.uk/WebAPI/user/oauth/callback

then redirect us to:

https://sandbox-ohdsi.xlscsde.nhs.uk:8080/WebAPI/user/login/openid?redirectUrl=/home

Steps to reproduce behavior

• Load atlas home page
• Click sign in button
• Login to Entra ID

[anthonysena]

@konstjar - just tagging you here to see if you can provide some feedback on this issue? @qcaas-nhs-sjt has provided a lot of the details around his deployment using OpenID and I'm unsure what may be causing this behavior?

[anthonysena]

Linking to https://github.com/OHDSI/WebAPI/issues/1901

[konstjar]

@qcaas-nhs-sjt Please check what redirect URL is defined in your Entra ID, does it include the port?