search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

oauth2/authorize always redirect to 127.0.0.1 if the server behind a proxy #6442

Closed tonny1983 closed 2 weeks ago

tonny1983 commented 5 years ago

Environment

Background The identity server is running at all its default ports, and there is a nginx proxy redirecting incoming https(443) requests to 9443. The nginx has got a certificate and a domain name (< mydomain >). A service provider is configured, which has got OAuth/OpenID Connect for Inbound Authentication. All server's configuration have been done according to the document.

Question When an application tries to access https://<mydomain>/oauth2/authorize?response_type=code&client_id=xxxxxx....., the url redirects to https://127.0.0.1/authenticationendpoint/login.do?client_id=xxxxxxx....... However, the correct one should be https://<mydomain>/authenticationendpoint/login.do?client_id=xxxxxxx.......

Issue There is a discussion about the question in stackoverflow which means it must add protocol, domain name and port in the value of AuthenticationEndpointURL in identity/application-authentication.xml. The solution does not show in the document, and should it be a right one?

darshanasbg commented 5 years ago

Seems like url rewriting is not get affected in LB level.

Could you please double-check whether you have the following configuration in Nginx level.

    location /authenticationendpoint/ {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
        proxy_read_timeout 5m;
        proxy_send_timeout 5m;
        proxy_pass https://ssl.nginx.com/authenticationendpoint/;
        proxy_redirect https://z.z.z.z:9443/authenticationendpoint/ https://nginx.mycomp.org/authenticationendpoint/ ;
        proxy_redirect https://server x.x.x.x:9yyy/authenticationendpoint https://nginx.mycomp.org/ authenticationendpoint;
    }

This has been listed in [1], under the step 2 in the section "Nginx configuration with exposing /oauth2, /commonauth, and other endpoints". (You have to click and expand that section to get details).

[1] https://docs.wso2.com/display/IS570/Setting+Up+Deployment+Pattern+1#SettingUpDeploymentPattern1-Frontingwithaloadbalancer(Nginx)

tonny1983 commented 5 years ago

I can confirm there is the same configuration in nginx like:

location /authenticationendpoint/ {
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
    proxy_read_timeout 5m;
    proxy_send_timeout 5m;
    proxy_pass  https://127.0.0.1:9443/authenticationendpoint/;
    proxy_redirect https://127.0.0.1:9443/authenticationendpoint/ https://<mydomain>/authenticationendpoint/ ;
    proxy_redirect https://127.0.0.1:9443/authenticationendpoint https://<mydomain>/authenticationendpoint ;
}

Further more, I'm afraid the mentioned document is for a load-balance case, but however, I just run the identity server as standalone behind a proxy.

isharak commented 2 weeks ago

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!