Why I've got the not correct redirect_url on OAuth2

[aikeep]

When I use OAuth2, I will be redirected to /oauth/authorize? By 302 Code after successful login, and then I can access the protected resources after verification, which seems to be no problem under HTTP request, but when I use HTTPS in the production environment, the redirected link becomes /oauth/authorize?client_id=blog-system&redirect_uri=http://blog.minbb.cn:443/login&response_type=code&state=t5flq0, in which the redirect uri should be https://blog.minbb.cn, because I have configured this in the database.
Which leads to the error of OAuth Error error="invalid_request", error_description="Invalid redirect: http://blog.minbb.cn:443/login does not match one of the registered values.".And the system of the production environment implements HTTPS through nginx. I want to know /oauth/authorize? How to get the parameter splicing later, and why the wrong jump URL splicing occurs?

[mengelbrecht]

Are you running your application behind a load balancer which does ssl termination and forwards the request as http instead of https to your application?
If so, the load balancer typically passes the original protocol in the X-Forwarded-Proto header.
You can tell Spring Boot (when you are using the embedded Tomcat) to respect this header by setting the following property:

server.tomcat.protocol-header=x-forwarded-proto

This way the redirect uri should include https instead of http.

[rwinch]

I agree with @mengelbrecht. It sounds as though you are using SSL termination and need to setup X-Forwarded headers properly. See https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-behind-a-proxy-server if you are using Spring Boot and https://docs.spring.io/spring-security/site/docs/5.3.0.RELEASE/reference/html5/#http-proxy-server otherwise

[aikeep]

@mengelbrecht I'm using Nginx to proxy the application, and I've configured Nginx property

proxy_redirect   http:// https://;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;

I'm using Undertow container to run the application with http port, then through the Nginx to proxy https port.

[aikeep]

@mengelbrecht You're right for your suggestion. I try to use the Tomcat container and configure the server.tomcat.protocol-header=x-forwarded-proto attributes in the configuration file. Then I got the correct redirect URI, like https://sso/oauth/authorize?client_id=blog-system&redirect_uri=https://blog/login&response_type=code&state=f03y3Z. According to the process of OAuth2, this URL will use 303 to redirect to https://blog/login?code=UyJTrK&state=f03y3Z. But at this time, the redirect URL will be 401 unauthorized error occurred. When I use HTTP protocol, everything is normal. Use code and state to visit https://blog/login?code=UyJTrK&state=f03y3Z in exchange for ticket, and then I should jump to the protected resource URL normally. Is it the HTTP to HTTPS proxy that caused the session to change? I'm confused.

[mengelbrecht]

@Wang-Yumin I think you can continue using undertow when using the following property:

server.forward-headers-strategy=native

Regarding the other issue, I think this question might be better suited for Stack Overflow as this issue tracker is primarily used for bugs or enhancements (please correct me if I am wrong @rwinch)

[aikeep]

@mengelbrecht Thank you very much. If I solve this problem, I will update the solution.