search

owncloud / openidconnect

OpenId Connect (OIDC) Integration for ownCloud
GNU General Public License v2.0
6 stars 2 forks source link

Changed the RewriteRule #228

Closed d7oc closed 1 year ago

d7oc commented 2 years ago

The RewriteRule with [P] didn't work here, I had to use [R=301,L] to make it work.

Description

Related Issue

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

Checklist:

Open tasks:

CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.

DeepDiver1975 commented 2 years ago

The RewriteRule with [P] didn't work here

did you install and enabled mod_proxy? https://httpd.apache.org/docs/current/rewrite/flags.html#flag_p

d7oc commented 2 years ago

Yes mod_proxy was installed, but didn't work nevertheless.

DeepDiver1975 commented 2 years ago

Redirect is by definition wrong - the clients will not accept redirect - this has to be done via proxy.

DeepDiver1975 commented 2 years ago

brilliant - docs are different - https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#set-up-service-discovery

need to take a closer look ..... Tuesday ...

d7oc commented 2 years ago

I took a closer look meanwhile as well. Redirection is wrong indeed. Proxy could be working, but you have to switch on SSLProxyEngine if Apache provides SSL as well (at least I found no way to circumvent this). It also feels kind of strange to let Apache proxy to itself, especially with SSL this is also an expensive operation as SSL re-/encoding happens three times with this proxy rule:

Client -> (here) Apache (here) -> (here) Apache

This makes no sense to me. So I also looked why I get a redirect even if I try to let Apache rewrite the rule which would make Apache doing the magic internally with:

RewriteRule "^/\.well-known/openid-configuration" "/index.php/apps/openidconnect/config" [L]

It turned out after some investigation, that the redirect comes from oC's php code, not from Apache. With the rewrite rule in Apache I end up here: https://github.com/owncloud/core/blob/843ef709fb7af08fef7b4a03b3cff92b6e5c5367/lib/base.php#L964

This triggers the redirect to index.php/login.

When I check what happens if I use the proxy rule I see that we end up here: https://github.com/owncloud/core/blob/843ef709fb7af08fef7b4a03b3cff92b6e5c5367/lib/base.php#L928.

My question would be, why we can't handle the incoming rewritten Apache rule the same way like the proxy call?

mmattel commented 1 year ago

Ping, any update?

DeepDiver1975 commented 1 year ago

It turned out after some investigation, that the redirect comes from oC's php code, not from Apache. With the rewrite rule in Apache I end up here: https://github.com/owncloud/core/blob/843ef709fb7af08fef7b4a03b3cff92b6e5c5367/lib/base.php#L964

This triggers the redirect to index.php/login.

When I check what happens if I use the proxy rule I see that we end up here: https://github.com/owncloud/core/blob/843ef709fb7af08fef7b4a03b3cff92b6e5c5367/lib/base.php#L928.

My question would be, why we can't handle the incoming rewritten Apache rule the same way like the proxy call?

I just faced the same [L] alone basically does nothing in Apache but triggers the php code as described by @d7oc No idea why.

I could only make this whole thing work properly with the existing [P] rule.

vote for closing this PR - redirecting is anyhow wrong ....