wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

x509 Authenticator port setting overrides server port and proxyPort in URLs #21293

Open daoxxx opened 1 month ago

daoxxx commented 1 month ago

Port configuration of x509 Authenticator transport overrides IS port in all redirect URLs and doesn't honor https' transport proxyPort.

How to reproduce: Configure deployment.toml according to the docs

[transport.https.properties]
proxyPort = 443
[custom_transport.x509.properties]
port="8443"
...
[authentication.authenticator.x509_certificate.parameters]
AuthenticationEndpoint="https://mydomain:8443/x509-certificate-servlet"

In the log file we see:

[2024-10-07 16:18:48,456] []  INFO {org.wso2.carbon.core.transports.http.HttpsTransportListener} - HTTPS port       : 8443
[2024-10-07 16:18:49,757] []  INFO {org.wso2.carbon.ui.internal.CarbonUIServiceComponent} - Mgt Console URL  : https://server:8443/carbon/
[2024-10-07 16:18:49,845] []  INFO {org.wso2.identity.apps.common.internal.AppsCommonServiceComponent} - My Account URL : https://server:8443/myaccount
[2024-10-07 16:18:49,845] []  INFO {org.wso2.identity.apps.common.internal.AppsCommonServiceComponent} - Console URL : https://server:8443/console

All URLs returned by IS now point to this 8443 port instead of 443 proxyPort settings. https://mydomain:8443/commonauth If port 8443 is open on the firewall Authentication works though But such behavior makes proxyPort setting almost useless and complicates configuration of IS behind restrictive firewall.

Expected behavior: All URLs should use https transport proxyPort (443) setting instead of custom x509 transport's one (8443) : https://server:443/myaccount https://mydomain:443/commonauth https://mydomain:443/authenticationendpoint/login.do and so on

Environment information (Please complete the following information; remove any unnecessary fields) :

daoxxx commented 3 weeks ago

This is not a bug. Just a lack of documentation. Custom transport's settings in tomcat are the same as for other http and https transports.

Just add "proxyPort" property in the custom_transport section:

[custom_transport.x509.properties]
port="8443"
proxyPort = 443