-
-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Redirect URI incorrect behind reverse proxy #404
Comments
Same thing happening for SAML2: /saml/metadata.xml contains AssertionConsumerService Location="http://..." and IdP then complains about invalid redirect uri. DISABLE_HTTPS is set to true, and reverse proxy is configured to provide X-Forwarded-Proto $scheme. |
Does this fix it for you? #403 |
I can't replicate it, and I'm behind RP too... Any way I can try? |
I don't think it's a proper fix, but I found a workaround: adding Relevant documentation: https://python-social-auth.readthedocs.io/en/latest/configuration/settings.html |
@maltokyo It doesn't seem to be CSFR problem; clients that have still valid saml token are using the service just fine. Only clients without token or with expired tokens cannot log in. It is only the login flow that fails. @jeehoonkang setting this variable moved me further: now IdP doesn't complain anymore about invalid redirect uri, the /saml/metadata.xml does point to https:// and not http://, but zulip complains now:
For some reason (probably the samy why it put http into the metadata in the first place), it still considers incoming request to be http. My config in docker-compose.yml is:
and then relevant bits from settings.py:
the nginx config is for zulip is:
I've put in both X-Forwarded-Proto and X-Forwarded-Protocol; first one is in zulip docs, the second one in wiki here, for docker-zulip; neither makes a difference. As you can see in the nginx config, the reverse proxy listens only on port 443. It is not available over 80/http at all. |
The fundamental error here is the same as #403 --
|
Since it's the same underlying issue, I'm going to resolve this issue and we can continue the discussion on #403. |
After an upgrade to Zulip 7.0, the redirect URI is now being passed to the IdP as "http://" rather than "https://", so our OIDC (which requires using HTTPS) throws back an error.
DISABLE_HTTPS:
is set totrue
in the docker-compose, as it's behind a reverse proxy.This error didn't occur in Zulip 6.... Not sure if this can be overridden in a config file?
The text was updated successfully, but these errors were encountered: