NginxProxyManager
OIDC - OpenId Connect authentication fail for application behind NGINX
Checklist
- Have you pulled and found the error with
jc21/nginx-proxy-manager:latestdocker image? Yes - Are you sure you're not using someone else's docker image? Yes
- Have you searched for similar issues (both open and closed)? Yes
Describe the bug
NGINX Proxy Manager is facing internet. I tried to use OpenID Connect for authentication behind it.
Internet --- NGINX proxy manager --- APISIX with openid-connect --- Web app
Keycloak is used for OIDC server.
I tried to use APISIX to manage the authentication (behind NGINX Proxy Manager) without success. https://github.com/apache/apisix/issues/10149 We get to the conclusions that was a cookies issue with cross-site access. But, keycloak cookie is set properly and I didn't find anywhere in NGINX Proxy Manager: 'set $session_cookie_samesite Strict;' If I bypass NGINX Proxy Manager with ngrok tunnelling. Callback authentication works.
So, I tried with a small nodejs app directly behind the NGINX Proxy Manager to simplify the problem. I get the same issue. Callback to the app can not be decoded properly, an information is missing.
Nginx Proxy Manager Version
v2.10.4
To Reproduce This is the nodejs code:
const express = require('express')
const { auth } = require('express-openid-connect');
require('dotenv').config()
const path = require('path')
const app = express()
const port = process.env.NODEPORT
app.use(auth({
issuerBaseURL: process.env.ISSUER_BASE_URL,
clientID: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
baseURL: process.env.BASE_URL,
secret: process.env.SECRET,
authorizationParams: {
response_type: 'code',
audience: process.env.BASE_URL,
scope: 'openid',
},
idpLogout: true,
auth0Logout: true
}))
app.use(express.static(path.join(__dirname, 'htdocs')))
app.get('/profile', async (req, res) => {
res.send(`hello ${JSON.stringify(req.oidc.user, null, 2)}`);
});
app.listen(port, () => {
console.log(`Server listening on port ${port}`)
})
- go to app external URL <BASE_URL>
- it is redirect to login page on keycloak
- when user credential are accepted, callback to:
<BASE_URL>/callback?state=eyJyZXR1cm5UbyI6Ii8ifQ&session_state=a7fd9407-e2c3-474c-8625-117276ed6bc0&code=a10612fc-664f-41f5-aaa3-9900d38433eb.a7fd9407-e2c3-474c-8625-117276fc6bc0.ab703194-4f67-4d9e-8a26-eff7867dc310and page:
502 Bad Gateway
_______________
openresty
Operating System Linux Debian
Issue is now considered stale. If you want to keep it open, please comment :+1:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I am also seeing this issue with AzureAd auth
Setup Public -> NPM -> Blazor Docker App
502 bad gateway response when auth call back is returned at /signin-oidc
Some research suggests default payload size is 4kb and may need to be bumped up.
I am also seeing this issue with AzureAd auth
Setup Public -> NPM -> Blazor Docker App
502 bad gateway response when auth call back is returned at /signin-oidc
Some research suggests default payload size is 4kb and may need to be bumped up.
Could you solve that issue? I ran into this also and cannot find any solution.
Okay thank you. I tried, and it solved the 502 error, but login over oauth did not work anyways
What is your app stack? Are you saying it did not work due to Nginx proxy manager? Maybe if you have logs or code to show, some can help get things moving.
Here is a nice-to-copy version of the screenshot.
This solved the problem for me.
proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k;
My tech stack is a dotnet backend service and Authentik as an IDP.
