search

navikt / mock-oauth2-server

A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer)
MIT License
245 stars 58 forks source link

Inconsistent IssuerUrl when setting the Host header #312

Closed andythorne closed 2 years ago

andythorne commented 2 years ago

I'm seeing some strange behaviour affecting the issues url. When setting the host name to a name that does not contain a port, the issuer url seems to be set to the IP. When any port is included in the header, it uses the port on the supplied host (as you would expect).

Using:

docker network create localnet
docker run --rm --env SERVER_PORT=80 -p80:80 --expose 80 ghcr.io/navikt/mock-oauth2-server:0.5.1
docker run --network localnet --rm --env SERVER_PORT=80 -p80:80 --expose 80 --hostname oauth2 ghcr.io/navikt/mock-oauth2-server:0.5.1

Using oauth2:80, the issuer url is resolved to oauth2:

> docker run --rm --network localnet curlimages/curl:7.84.0 curl -H 'Host: oauth2:80' oauth2/default/.well-known/openid-configuration -s
{
  "issuer" : "http://oauth2/default",
  "authorization_endpoint" : "http://oauth2/default/authorize",
  "end_session_endpoint" : "http://oauth2/default/endsession",
  "token_endpoint" : "http://oauth2/default/token",
  "userinfo_endpoint" : "http://oauth2/default/userinfo",
  "jwks_uri" : "http://oauth2/default/jwks",
  "introspection_endpoint" : "http://oauth2/default/introspect",
  "response_types_supported" : [ "query", "fragment", "form_post" ],
  "subject_types_supported" : [ "public" ],
  "id_token_signing_alg_values_supported" : [ "ES256", "ES384", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512" ]
}

Using the host of the container oauth2, the issuer url is the host name of the client (in this case, the curl container):

> docker run --rm --network localnet curlimages/curl:7.84.0 curl -H 'Host: oauth2' oauth2/default/.well-known/openid-configuration -s
{
  "issuer" : "http://25a6c016521e.localnet/default",
  "authorization_endpoint" : "http://25a6c016521e.localnet/default/authorize",
  "end_session_endpoint" : "http://25a6c016521e.localnet/default/endsession",
  "token_endpoint" : "http://25a6c016521e.localnet/default/token",
  "userinfo_endpoint" : "http://25a6c016521e.localnet/default/userinfo",
  "jwks_uri" : "http://25a6c016521e.localnet/default/jwks",
  "introspection_endpoint" : "http://25a6c016521e.localnet/default/introspect",
  "response_types_supported" : [ "query", "fragment", "form_post" ],
  "subject_types_supported" : [ "public" ],
  "id_token_signing_alg_values_supported" : [ "ES256", "ES384", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512" ]
}

I would expect that specifying the host with no port would produce an Issuer Url of that host!

ybelMekk commented 2 years ago

Hello @andythorne! Thanks for opening the issue and thanks for using it :)

I see the issue..

but if i recon the issue from the past we added an environment env SEVER_HOSTNAME where you can define the host name, if not set the standalone server will return the ip, as your debug shows.

docker run --rm --env SERVER_PORT=80 --env SERVER_HOSTNAME=oauth2 -p80:80 --expose 80 ghcr.io/navikt/mock-oauth2-server:0.5.1
docker run --network localnet --rm --env SERVER_PORT=80 --env SERVER_HOSTNAME=oauth2 -p80:80 --expose 80 --hostname oauth2 ghcr.io/navikt/mock-oauth2-server:0.5.1
ybelMekk commented 2 years ago

update, tried it locally and it seems to crash.. need some more investigation.

ybelMekk commented 2 years ago

@andythorne have you tried to use --ipv4 flag on curl? or without the -H 'Host: oauth2' ?

ybelMekk commented 2 years ago

no response, closing it for now. please feel free to reopen if the issue remains.