Login page shows error 400 when hosted on a non-standard port

[poscat0x04]

Describe the bug

Signin page shows error 400 when hosted on a non-standard port.

Steps to reproduce

Steps to reproduce the behavior:

1. Install binary release, disable built-in tls
2. Configure nginx to listen on ports other than 443 and proxy to ocis
3. Open the webpage in browser (ideally in chrome)

Expected behavior

There should be no error.

Actual behavior

Cannot log in.

Setup

Irrelevant

Additional context

Corresponding error log:

WRN rejecting identifier HTTP request error="origin does not match request URL" host=own.poscat.moe line=github.com/owncloud/ocis/v2/ocis-pkg/log/logrus_wrapper.go:50 origin=https://own.poscat.moe:8443 referer=https://own.poscat.moe:8443/signin/v1/identifier?client_id=web&code_challenge=A9SqOyxCR6XuhoUoGTtc7pjcFmpcn1CD_dDg1qXqtMM&code_challenge_method=S256&flow=oidc&redirect_uri=https%3A%2F%2Fown.poscat.moe%3A8443%2Foidc-callback.html&response_mode=query&response_type=code&scope=openid+profile+email&state=8231e81eaa774580b7d2506c4d9caa0a service=idp user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.61"

request (copy as curl):

curl 'https://own.poscat.moe:8443/signin/v1/identifier/_/hello' \
  -H 'authority: own.poscat.moe:8443' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7' \
  -H 'content-type: application/json' \
  -H 'dnt: 1' \
  -H 'kopano-konnect-xsrf: 1' \
  -H 'origin: https://own.poscat.moe:8443' \
  -H 'referer: https://own.poscat.moe:8443/signin/v1/identifier?client_id=web&code_challenge=96ROMmfCSMhtuLUJJHFvZKvAN03XrWIAOxLDJ3qWOlk&code_challenge_method=S256&flow=oidc&redirect_uri=https%3A%2F%2Fown.poscat.moe%3A8443%2Foidc-callback.html&response_mode=query&response_type=code&scope=openid+profile+email&state=2cbc419d87a1444a83dccaa2c343c11b' \
  -H 'sec-ch-ua: "Chromium";v="118", "Microsoft Edge";v="118", "Not=A?Brand";v="99"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Windows"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-gpc: 1' \
  -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.57' \
  --data-raw '{"scope":"openid profile email","client_id":"web","redirect_uri":"https://own.poscat.moe:8443/oidc-callback.html","flow":"oidc","state":"d1dfb7b7edcc7a00"}' \
  --compressed

I'm fairly sure this is cause by net/url's Parse returning host:port in its Host field, which causes this condition to fail.
If you remove the :8443 from the origin and referer header in the curl command the response code will actually be 200.

[poscat0x04]

Update: it appears that this is caused by this line in my nginx.conf:

proxy_set_header Host $host

Which strips the port part from the original Host header. This can be fixed by changing it to:

proxy_set_header Host $host:$server_port

Now I'm not sure whether or not this is a bug.

[micbar]

Thanks for posting it.

Reverse proxy config is always considered "outside" of ocis. But good to know. The ocis built in IdP has a check for the domain match. It can only be run exactly on the same domain.

For other setups I recommend to use keycloak like in the the deployment examples.

[micbar]

@mmattel FYI

[ruifeng96150]

I fix it by adding a nginx setting.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ocis.example.com;  

    ssl_certificate conf.d/ca/fullchain.pem; 
    ssl_certificate_key conf.d/ca/cert.key;  

    location / {
        proxy_pass https://192.168.3.99:9200/;
        proxy_set_header Host $host;
        proxy_set_header Origin https://ocis.example.com; // add this line
    }
}