search

wdonne / traefikoidc

BSD 2-Clause "Simplified" License
2 stars 2 forks source link

Callback URL is empty #3

Closed russellproud closed 5 months ago

russellproud commented 5 months ago

Attempting to configure this plugin for use with OIDC via OKTA.

Configuration

Using label configuration via docker-compose on the traefik container. Configuration below.

    - "traefik.http.middlewares.okta-oidc.plugin.traefikoidc.encryptionSecretFile=/oidc/encryption/secret.json"
    - "traefik.http.middlewares.okta-oidc.plugin.traefikoidc.idps[0].providerUrl=https://{mydomain}.okta.com/"
    - "traefik.http.middlewares.okta-oidc.plugin.traefikoidc.idps[0].clientSecretFile=/oidc/client.json"
    - "traefik.http.middlewares.okta-oidc.plugin.traefikoidc.idps[0].name=default"

Enabling the middleware on a container via labels

    - "traefik.http.routers.es-best-practices.middlewares=okta-oidc"

Behaviour

Accessing the service correctly redirects to okta oauth endpoints, though okta returns 400 error with message "Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings:"

Looking at the request url sent to OKTA, redirect_url does not contain the service url it is &redirect_uri=https%3A%2F%2F%2Fcallback

It appears that either traefik is not passing the request url to the middleware or, it is not being passed correctly in the req within the code.

Expected Behaviour

redirect_url to contain https://myservice.domain.com/callback

wdonne commented 5 months ago

The domain name is delivered by Traefik to the middleware through http.Request.URL.Host. The value for that field comes from the original request. I don't know why in your case that field is empty. I will change it to use the field http.Request.Host instead because the value may also come from the Host header.

russellproud commented 5 months ago

Thanks @wdonne. Let me know if you need any further information, I'll monitor and reload the plugin once new version is available and test.

russellproud commented 5 months ago

@wdonne I have adjusted the callbackUrl function on line #282 per below and built the plugin locally. This works as expected.

func callbackUrl(req *http.Request) string {
    return url.QueryEscape("https://" + req.Host + callback)
}

I don't have permission to push a PR to this repo, was going to attach the change to this ticket. I'll leave that for you to do when you're ready.

wdonne commented 5 months ago

@russellproud Thank you very much for checking it. I have pushed the update. It is in the plugin repository.

Pushing PRs is possible through a fork if would come across the need again.

wdonne commented 5 months ago

Fixed in v1.0.1.