New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution #23023
Comments
@vmuzikar @vietj I think this could be considered a regression. It does appear that most consider the port specified in the X-Forwarded-Host as taking prescedence, and since that was the prior behavior it likely should have remained. @coro what is responsible for the conflict in the headers? It seems like if host is being populated with a port, then the forwarded port header should be omitted. |
This is related if not a duplicate: #23431 |
I would not consider this a duplicate of #23431. Sure, that issue will deprecate the original proxy option which this issue is about. However, the proxy option will still be around for a while and any change in behaviour should've been captured in upgrading guide. Or possibly it's really a bug in Vert.x. |
Also the new option does not resolve the of the priority between X-Forwarded-Host and X-Forwarded-Port, only the choice between forwarded and x-forwarded. |
@shawkins thanks for looking at this. In our case, we had an ALB exposing a route on port 80, adding the I agree it's arguably a regression, though we also arguably shouldn't have been relying on the implicit ordering of those |
Moving over to the core to assess further. |
There is also an issue on the Quarkus side about this: quarkusio/quarkus#35751 |
@shawkins Proxy headers handling belongs more to the Cloud Native team as it's based on Quarkus. :) |
@vmuzikar ok, my misunderstanding. Then we'll need @vietj or others from quarkus / vertx to weigh in on whether this can be treated as a regression. @sschu I don't see x-forwarded-host nor port mentioned in quarkusio/quarkus#35751 |
@shawkins True. I just brought it up because it is related, not necessarily the same. |
To resolve this issue we agreed to document this in the migration guide and create an upstream discussion on the handling: quarkusio/quarkus#38032 |
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: #23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Signed-off-by: Kamontat Chantrachirathumrong <14089557+kamontat@users.noreply.github.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Signed-off-by: ShefeeqPM <86718986+ShefeeqPM@users.noreply.github.com>
closes: keycloak#23023 Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Before reporting an issue
Area
oidc
Describe the bug
Upon upgrading from KC 10 to KC 21, we noticed a breaking change in how Keycloak prioritises X-Forwarded-* headers, when behind a reverse proxy and reporting OIDC config via the
.well-known/openid-configuration
endpoint. Specifically, if there is a conflict between the port specified inX-Forwarded-Port
andX-Forwarded-Host
.In Wildfly, the
X-Forwarded-Host
header takes priority over theX-Forwarded-Port
header (source)In Quarkus, the opposite is true (source)
You can see that the
X-Forwarded-Port
header has effectively removed the desired port 9090. In our case this was because our ALB was adding this header on requests to the OIDC endpoint, thus resulting in a token endpoint that was on an unreachable port as of Quarkus.Version
21.1.2
Expected behavior
Priority to follow something like Jetty's ForwardedRequestCustomizer, i.e. in order:
Actual behavior
(omitting some for clarity)
How to Reproduce?
See 'Describe the bug'. I reproduced this on v10.0.2 for the Wildfly distribution, and v21.1.2 and nightly for the Quarkus distribution, with:
Anything else?
I don't believe there's an established standard for the order of priority of the non-standard X-Forwarded-* headers, but I think it would be useful to clarify the current expected order of these in the proxy guides, as well as listed as a breaking change on the Quarkus migration guide.
The text was updated successfully, but these errors were encountered: