search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
734 stars 715 forks source link

oauth2/authorize always redirect to 127.0.0.1 if the server behind a proxy #6442

Open tonny1983 opened 4 years ago

tonny1983 commented 4 years ago

Environment

Background The identity server is running at all its default ports, and there is a nginx proxy redirecting incoming https(443) requests to 9443. The nginx has got a certificate and a domain name (< mydomain >). A service provider is configured, which has got OAuth/OpenID Connect for Inbound Authentication. All server's configuration have been done according to the document.

Question When an application tries to access https://<mydomain>/oauth2/authorize?response_type=code&client_id=xxxxxx....., the url redirects to https://127.0.0.1/authenticationendpoint/login.do?client_id=xxxxxxx....... However, the correct one should be https://<mydomain>/authenticationendpoint/login.do?client_id=xxxxxxx.......

Issue There is a discussion about the question in stackoverflow which means it must add protocol, domain name and port in the value of AuthenticationEndpointURL in identity/application-authentication.xml. The solution does not show in the document, and should it be a right one?

darshanasbg commented 4 years ago

Seems like url rewriting is not get affected in LB level.

Could you please double-check whether you have the following configuration in Nginx level.

    location /authenticationendpoint/ {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
        proxy_read_timeout 5m;
        proxy_send_timeout 5m;
        proxy_pass https://ssl.nginx.com/authenticationendpoint/;
        proxy_redirect https://z.z.z.z:9443/authenticationendpoint/ https://nginx.mycomp.org/authenticationendpoint/ ;
        proxy_redirect https://server x.x.x.x:9yyy/authenticationendpoint https://nginx.mycomp.org/ authenticationendpoint;
    }

This has been listed in [1], under the step 2 in the section "Nginx configuration with exposing /oauth2, /commonauth, and other endpoints". (You have to click and expand that section to get details).

[1] https://docs.wso2.com/display/IS570/Setting+Up+Deployment+Pattern+1#SettingUpDeploymentPattern1-Frontingwithaloadbalancer(Nginx)

tonny1983 commented 4 years ago

I can confirm there is the same configuration in nginx like:

location /authenticationendpoint/ {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
    proxy_read_timeout 5m;
    proxy_send_timeout 5m;
    proxy_pass  https://127.0.0.1:9443/authenticationendpoint/;
    proxy_redirect https://127.0.0.1:9443/authenticationendpoint/ https://<mydomain>/authenticationendpoint/ ;
    proxy_redirect https://127.0.0.1:9443/authenticationendpoint https://<mydomain>/authenticationendpoint ;
}

Further more, I'm afraid the mentioned document is for a load-balance case, but however, I just run the identity server as standalone behind a proxy.