fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Forbidden Error Encountered When Login Attempted from http://we.dev.localtest.me URL

Open tiksn opened this issue 1 year ago • 1 comments

What happened?

Summary

When attempting to log in from my application hosted on http://we.dev.localtest.me:4211/, an HTTP 403 Forbidden error is encountered. However, the redirection from http://localhost:4211/ works as expected.

Caveat we.dev.localtest.me resolves to 127.0.0.1. localtest.me is a special domain that resolves to A=127.0.0.1 and AAAA = ::1. It is a convenient way to test a multi-tenant application locally.

Steps to Reproduce: (My Local Setup)

  1. Create tenant
  2. Create an application for that tenant.
  3. Configure Authorized origins and Authorized redirects to contain http://localhost:4211 and http://we.dev.localtest.me:4211 (4211 is a port that UI is hosted on)
  4. Navigate to http://localhost:4211 and click login.
  5. It redirects to http://localhost:9011/ (FusionAuth also running in docker).
  6. Type the email and password from one of the users.
  7. Redirects back to http://localhost:4211.
  8. Navigate to http://we.dev.localtest.me:4211 and click login.
  9. It redirects to http://localhost:9011/ with status code 403 Forbidden.

Expected Result:

Login from http://we.dev.localtest.me:4211 should work identically to http://localhost:4211.

Actual Result:

FusionAuth fails to redirect back to http://we.dev.localtest.me:4211. It results in HTTP 403.

Additional Information:

Proposed Solution:

Environment variable that allows insecure redirects (redirect to HTTP instead of HTTPS only)

Notes

Nothing is logged in docker console during the HTTP 403 error.

Version

1.53.2

Affects Versions

No response

tiksn avatar Sep 15 '24 00:09 tiksn

Thanks for your feedback. I am not sure this is a bug, since it is documented that the cookies are all going to be Secure.

Two options:

  • stand up a backend to do the token exchange (sample code here) which can set the cookies to be non-Secure.
  • run a local proxy (caddy is great) which can serve up https endpoints.

I'm going to convert this to a feature request.

However, we have a long backlog of feature work and those workarounds should solve the issue, so I would not count on your requested change being implemented soon.

mooreds avatar Sep 23 '24 22:09 mooreds