search

fief-dev / fief

Users and authentication management SaaS
https://www.fief.dev
Other
486 stars 42 forks source link

The FIEF_DOMAIN is not used when redirecting auth requests for the admin page. #375

Closed HansLarsen closed 1 month ago

HansLarsen commented 1 month ago

Describe the bug

When fief is redirecting back from the login page, to the admin page, it uses the local ip address instead of the FIEF_DOMAIN. I'm using nginx as a reverse proxy and i get the message "redirect_uri is not authorized for this client"

I'm a bit unsure if i'm doing something wrong, but this is the admin panel it comes with.

To Reproduce

Steps to reproduce the behavior:

  1. Used the docker compose below
  2. goto auth.example.test
  3. login
  4. get "redirect_uri is not authorized for this client"

Expected behavior

The redirect would use the FIEF_DOMAIN

Configuration

Additional context

Docker compose

services:
  fief-server:
    container_name: fief-server
    command: fief run-server
    image: ghcr.io/fief-dev/fief:latest
    ports:
      - 8000:8000
    restart: unless-stopped
    env_file:
      - .env
    depends_on:
      - postgres
      - redis

  fief-worker:
    image: ghcr.io/fief-dev/fief:latest
    command: fief run-worker -p 1 -t 1
    env_file:
      - .env
    depends_on:
      - postgres
      - redis

  postgres:
    image: postgres:alpine
    environment:
      - POSTGRES_PASSWORD=fief
      - POSTGRES_USER=fief
      - POSTGRES_DB=fief
    volumes:
      - postgres-data:/var/lib/postgresql/data

  redis:
    image: redis:alpine
    command: redis-server --save 60 1 --loglevel warning
    volumes:
      - redis-data:/data

  nginx:
    container_name: nginx
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx/certs:/etc/ssl/certs
      - ./nginx/nginx-selfsigned.key:/etc/ssl/private/nginx-selfsigned.key
      - ./nginx/self-signed.conf:/etc/nginx/snippets/self-signed.conf
      - ./nginx/ssl-params.conf:/etc/nginx/snippets/ssl-params.conf
      - ./nginx/secrets:/run/secrets
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf

volumes:
  redis-data:
  postgres-data:

nginx setup

events {
}
http {
    server {
        server_name auth.example.test;
        location / {
            proxy_pass http://192.168.1.235:8000;
        }   
    }
    server {
        listen 443 ssl;
        server_name auth.example.test;
        include snippets/self-signed.conf;
        include snippets/ssl-params.conf;
        location / {
            proxy_pass http://192.168.1.235:8000;
        }   
    }
}

FIEF_DOMAIN="auth.example.test" The redirect url: http://auth.example.test/authorize?response_type=code&client_id=CGU40q_KKsJMRillsDWqWYKmZ5Lu017yxU7jgY6NYnU&redirect_uri=http%3A%2F%2F192.168.1.235%3A8000%2Fadmin%2Fauth%2Fcallback&scope=openid&screen=login

frankie567 commented 1 month ago

Hi 👋

Did you correctly set the FORWARDED_ALLOW_IPS environment variable on the Fief server?

The server generates absolute URL based on the incoming request. So, if the request has the host header example.com, it'll generate URL with the example.com host.

However, when behind a proxy like Nginx, the host will be the internal address (192.168.1.235:8000 in your case). For this to work, we need to trust the X-Forwarded- headers from the proxy.

Read more: https://docs.fief.dev/self-hosting/configuration/ssl/#trust-reverse-proxy-headers