Override base URL for metadata.location

[christinedraper]

Is there any way to override the base URL for location in the response metadata? Our scim service is running in a k8s cluster behind a proxy, so the location should be the external endpoint (base URL + path). What we're getting is the internal service URL.

[jelhub]

Hi, Do your IdP make use of meta.location that is included in response? It's included because of SCIM specification, I'm not aware of IdP's actually using this information.

Assume reason for question is that you do not want to expose internal host/port information in response?

Two potential solutions to address this issue:

• New configuration option skipMetaLocation for excluding meta.location in the response
• Your proxy includes headers X-Forwarded-Host and X-Forwarded-Port, scimgateway then knows original host/port that can be set in meta.location. scimgateway is already evaluating another header X-Forwarded-For for allowlisted ip-addresses

Regards, Jarle

[christinedraper]

The main concern is not exposing internal host info. Its reassuring that you're not aware of IDPs using the information. Either of the approaches you suggest would work for us, the first would be simpler to set up.

[jelhub]

Now fixed. Ref:

Change log

v4.4.4

[Added]

• New configuration: scim.skipMetaLocation
  true or false, default false. If set to true, meta.location which contains protocol and hostname from request-url, will be excluded from response e.g. "{...,meta":{"location":"https://my-company.com/<...>"}}. If using reverse proxy and not including headers X-Forwarded-Proto and X-Forwarded-Host, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.

Below is an example of nginx reverse proxy configuration supporting SCIM Gateway ipAllowList and correct meta.location response:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;