Incorrect redirect_uri with OIDC authentication flow using WSO2 provider

[pythrick]

I am using ShinyProxy operator in AWS EKS 1.24 following the 1-namespaced-hpa example. I have integrated an OIDC authentication flow using WSO2 provider, but I am encountering an issue with the redirect_uri generated by ShinyProxy. The redirect_uri is being generated with http schema instead of https, which is causing issues with the WSO2 provider.

I have attempted to resolve this issue by following the suggestions in the ShinyProxy FAQ for Invalid redirect_uri when using OpenID Connect, including injecting X-Forwarded-For and X-Forwarded-Proto custom headers into the skipper-ingress annotations. This did result in the https schema being injected into the redirect_uri, but also caused a :80 port to be injected at the end of the URI. For example: https://my-shinyproxy-url.com:80/oauth2/authorization/shinyproxy

Expected Behavior: The redirect_uri generated by ShinyProxy should have the https schema and should not include a port number.

Environment:

ShinyProxy Operator version: 1.0.0 K8s cluster: AWS EKS 1.24

I would appreciate your assistance in resolving this issue. Thank you!

[LEDfan]

Hi, are you using another loadbalancer or proxy in front of Skipper? If so, I think you should be able to setup the headers in that proxy (see e.g. for nginx and apache : https://shinyproxy.io/documentation/security/ )

Note that we released the ShinyProxy Operator 2.0.0 last week, this release no longer requires the usage of Skipper. Therefore, it should be easier to deploy everything.

[pythrick]

I had a bad time trying to find the right annotations to put inside docs/deployment/overlays/1-namespaced-hpa/skipper/ingress.yaml, until I've figured out that I can set these forwared headers using params to skipper cli command inside docs/deployment/bases/namespaced/skipper-hpa/deployment.yaml, and it fixed my issue:

I'll give a try to the new release as well, good to know you're in active development, thanks!