search

datasharingframework / dsf

A distributed process engine based on the BPMN 2.0 and FHIR R4 standards
https://dsf.dev
Apache License 2.0
12 stars 7 forks source link

redirect uri for OIDC login is http #124

Closed UKFr-DIZ closed 11 months ago

UKFr-DIZ commented 12 months ago

Problem

I am trying to configure OIDC login for the DSF Fhir Server and use the authorization workflow. In Keycloak I have configured the oidc client with the following two attributes:

When trying to call the DSF FHIR server and login via OIDC the redirect URI is with http instead of HTTPS. https:/dsf-test.uniklinik-freiburg.de/fhir

The redirect from the app: https://kc-server.uniklinik-freiburg.de/auth/realms/diz-sysadmin/protocol/openid-connect/auth?client_id=dsf-fhir-mailbox-test&redirect_uri=http%3A%2F%2Fdsf-test.uniklinik-freiburg.de%2Ffhir%2Fj_security_check

Error message invalid redirect_uri

My guess is that when you instantiate the OIDC Client openIdConfiguration and pass the http_client, that the redirect URI is set with http instead of https.

https://github.com/datasharingframework/dsf/blob/74eb4d7af27fe8638985165b862025c908d1d058/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/config/AbstractJettyConfig.java#L337C1-L338C80

But i honestly don't know.

temporary solution

Change the root URL in keycloak to http. The reverse proxy of DSF will fix that by redirecting to https, so the login to the DSF Fhir server is secure. I would just prefer if the redirect URL would be proper.

schwzr commented 12 months ago

Hi!

I was able to reproduce your issue. The DSF FHIR server tries to get the used protocol from the reverse proxy (by default an apache2).

In the current version, the reverse proxy is not sending the required Proto-Headers, but the nginx in our docker test setup does (https://github.com/datasharingframework/dsf/tree/main/dsf-docker-test-setup-3dic-ttp). Maybe this is the reason why nobody spotted the error until now.

To mitigate the error before we release a new DSF version with the adapted apache configuration you can:

  1. Download the current host-ssl.conf file (https://github.com/datasharingframework/dsf/blob/v1.3.0/dsf-docker/fhir_proxy/conf/extra/host-ssl.conf)
  2. Add the following line: 
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

    in the Location-Block <Location "${SERVER_CONTEXT_PATH}/">.

  3. Mount the file in your proxy server:
services:
  proxy:
    image: ghcr.io/datasharingframework/fhir_proxy:1.3.0
    restart: on-failure
    volumes:
      - type: bind
        source: ./proxy-host-ssl.conf
        target: /usr/local/apache2/conf/extra/host-ssl.conf
UKFr-DIZ commented 12 months ago

Hi,

thanks for the fast reply. Setting that header fixes the redirect error.!

If comparing the nginx config with the apache setup i would recommend setting the ProxyPreserveHost On directive, will cover the X-Forwarded-For etc. headers for the fhir-proxy.

schwzr commented 12 months ago

Thanks for the hint with additional directives. According to the documentation here, this will "just" set the Host-Header accordingly. The X-Forwarded-For etc. headers should already be set by the ProxyPass Directive. But we will check for useful headers and set them in one of the upcoming releases.