OPENID multiple redirect uris

[louisgls]

Prerequisites

• [X] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
• [X] I went through old GitHub issues and couldn't find anything relevant
• [X] I googled the issue and didn't find anything relevant

Description

Can OPENID strategy supports multiple redirect_uris ? The doc seems to show that it is the case as the PROVIDERSOPENIDCONFIG__REDIRECT_URIS is an array :

- PROVIDERS__OPENID__STRATEGY=OpenIDConnectStrategy 
- "PROVIDERS__OPENID__CONFIG__LABEL=Login with OpenID"
- PROVIDERS__OPENID__CONFIG__ISSUER=https://xxxxxxx/auth/realms/xxxx
- PROVIDERS__OPENID__CONFIG__CLIENT_ID=XXXXXXXXXXXXXXXXXX
- PROVIDERS__OPENID__CONFIG__CLIENT_SECRET=XXXXXXXXXXXXXXXXXX
- "PROVIDERS__OPENID__CONFIG__REDIRECT_URIS=[\"https://demo.opencti.io/auth/oic/callback\"]"

We have tried to add multiple redirect uris (because we have 2 different fqdn to access the front) but the first OIDC authorization request doesn't have any "redirect_uri" in the query string parameters.

Environment

1. OS (where OpenCTI server runs): Debian 10
2. OpenCTI version: 5.1.2
3. OpenCTI client: { e.g. frontend or python }

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Configure OIDC with multiple redirect_uris
2. Click on the Login with button
3. Check the first query's parameter in a browser's console

[richard-julien]

Hi @louisgls , dont really know about that, need to investigate. Can you explains a bit more your case and what you expect of setting multiple callback uri?

[louisgls]

Hi @richard-julien, thank your for your answer. I was just wondering why the redirect uri was a multi valued field. I have 2 fqdn that points to the same opencti instance and I would have liked to set up the OpenID flow for both. For example :

• yyy/opencti correctly authenticates using redirect_uri=https://yyyy/opencti/auth/oic/callback
• xxxx.domain.tld fails to authenticate because it uses the same redirect_uri parameter : redirect_uri=https://yyy/opencti/auth/oic/callback, it redirects to https://yyy/opencti/auth/oic/undefined with the following error :

  did not find expected authorization request details in session, req.session["oidc:IDP URL"] is undefined

  It totally make sense for me that it only works in the first case, but I was curious about the fact that redirect_uris could have multiple values, perhaps it would know which redirect uri to set as parameters during the first openid call to the authorization endpoint and therefore SSO will work with multiple fqdn.