Closed TheUncharted closed 1 month ago
I'm getting this too - if I start my OIDC flow by navigating to https://auth.my-app.com/google/authorize
plus the query params, the provider will try to redirect back to the raw lambda url instead of https://auth.my-app.com/google/callback
.
This seems pretty critical if it entirely prevents auth from working with custom domains
We haven't had a chance to work on finishing up auth yet. We'll get to it soon.
this is fixed in v0.0.390 - sst.auth.Router was not setting x-forwarded-for
headers
I found a bug it's related to what i spotted before if you use a router for example with cloudfront for a custom domain name abc.com
Cloudfront will forward the request to the lambda and put the origin instead of the custom domain name : xxxxxxx.lambda-url.eu-west-1.on.aws
Then the call will be on :
https://xxxxxxx.lambda-url.eu-west-1.on.aws/google/authorize?client_id=local&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=token&provider=google'
Then the OIDC adapter will extract the callback url https://xxxxxxx.lambda-url.eu-west-1.on.aws/google/callback and the the cookies will be set with the domain xxxxxxx.lambda-url.eu-west-1.on.aws, the browser won't accept the cookies since its does not come from the custom domain
and the retrieving of auth_state variable in the cookies will fail in the callback
I tested by hardcoding the callback url with my custom domain and it worked.
In SST2 we had this code, but it's not here anymore in Ion const callback = "https://" + useDomainName() + "/callback";
I don't see any information for the custom domain name from hono request
As a temporary solution, maybe we could pass the custom domain in the config object ? if it's present replace it in the url ?
In SST2 cookies are generated
In Ion cookies are blocked