Closed UKFr-DIZ closed 11 months ago
Hi!
I was able to reproduce your issue. The DSF FHIR server tries to get the used protocol from the reverse proxy (by default an apache2).
In the current version, the reverse proxy is not sending the required Proto-Headers, but the nginx in our docker test setup does (https://github.com/datasharingframework/dsf/tree/main/dsf-docker-test-setup-3dic-ttp). Maybe this is the reason why nobody spotted the error until now.
To mitigate the error before we release a new DSF version with the adapted apache configuration you can:
host-ssl.conf
file (https://github.com/datasharingframework/dsf/blob/v1.3.0/dsf-docker/fhir_proxy/conf/extra/host-ssl.conf)RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
in the Location-Block <Location "${SERVER_CONTEXT_PATH}/">
.
services:
proxy:
image: ghcr.io/datasharingframework/fhir_proxy:1.3.0
restart: on-failure
volumes:
- type: bind
source: ./proxy-host-ssl.conf
target: /usr/local/apache2/conf/extra/host-ssl.conf
Hi,
thanks for the fast reply. Setting that header fixes the redirect error.!
If comparing the nginx config with the apache setup i would recommend setting the ProxyPreserveHost On
directive, will cover the X-Forwarded-For etc. headers for the fhir-proxy.
Thanks for the hint with additional directives. According to the documentation here, this will "just" set the Host-Header accordingly. The X-Forwarded-For etc. headers should already be set by the ProxyPass Directive. But we will check for useful headers and set them in one of the upcoming releases.
Problem
I am trying to configure OIDC login for the DSF Fhir Server and use the authorization workflow. In Keycloak I have configured the oidc client with the following two attributes:
When trying to call the DSF FHIR server and login via OIDC the redirect URI is with http instead of HTTPS. https:/dsf-test.uniklinik-freiburg.de/fhir
The redirect from the app:
https://kc-server.uniklinik-freiburg.de/auth/realms/diz-sysadmin/protocol/openid-connect/auth?client_id=dsf-fhir-mailbox-test&redirect_uri=http%3A%2F%2Fdsf-test.uniklinik-freiburg.de%2Ffhir%2Fj_security_check
Error message invalid redirect_uri
My guess is that when you instantiate the OIDC Client
openIdConfiguration
and pass thehttp_client
, that the redirect URI is set with http instead of https.https://github.com/datasharingframework/dsf/blob/74eb4d7af27fe8638985165b862025c908d1d058/dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/config/AbstractJettyConfig.java#L337C1-L338C80
But i honestly don't know.
temporary solution
Change the root URL in keycloak to http. The reverse proxy of DSF will fix that by redirecting to https, so the login to the DSF Fhir server is secure. I would just prefer if the redirect URL would be proper.