Nginx forward auth is looking at the X-Original-URI header instead of X-Original-URL

Describe the bug Nginx Forward Auth provider (domain level) returned the following error : Outpost authentik Embedded Outpost (Provider Provider for XXX) failed to detect a forward URL from nginx

Steps to reproduce the behavior:

While connecting to an application, the application nginx reverse proxy returned an error 500. Authentik related logs show the error message Outpost authentik Embedded Outpost (Provider Provider for XXX) failed to detect a forward URL from nginx

The application reverse proxy is configured as following (slightly modified copy from the authentik web ui):

1 # authentik-specific config
 auth_request        /outpost.goauthentik.io/auth/nginx;
 ...
 # all requests to /outpost.goauthentik.io must be accessible without authentication
 location /outpost.goauthentik.io {
     proxy_pass          https://authentik:9443/outpost.goauthentik.io;
     # ensure the host of this vserver matches your external URL you've configured
     # in authentik
     proxy_set_header    Host $host;
     add_header          X-Original-URL $scheme://$http_host$request_uri;
 ...
 }

Expected behavior No error

Solution

The proxy header configuration proposed by the ui is to set X-Original-URL to $scheme://$http_host$request_uri. However, it seems that the authentik code is checking X-Original-URI (last character is I instead of L) cf. https://github.com/goauthentik/authentik/blob/0766a47b4f610c56680c7ae70104d36aaaffc4f7/internal/outpost/proxyv2/application/mode_common.go#L90

In fact, setting the X-Original-URI to $scheme://$http_host$request_uri instead of X-Original-URL solves the error.

It seems that the header X-Original-URL is a standard. Maybe the code may be changed to lookup for it instead ?

Thanks for your awesome application 👍

goauthentik / authentik

Nginx forward auth is looking at the X-Original-URI header instead of X-Original-URL #9858