scimgateway
scimgateway copied to clipboard
jelhub
Override base URL for metadata.location
Is there any way to override the base URL for location in the response metadata? Our scim service is running in a k8s cluster behind a proxy, so the location should be the external endpoint (base URL + path). What we're getting is the internal service URL.
Hi,
Do your IdP make use of meta.location that is included in response?
It's included because of SCIM specification, I'm not aware of IdP's actually using this information.
Assume reason for question is that you do not want to expose internal host/port information in response?
Two potential solutions to address this issue:
- New configuration option
skipMetaLocationfor excluding meta.location in the response - Your proxy includes headers
X-Forwarded-HostandX-Forwarded-Port, scimgateway then knows original host/port that can be set in meta.location. scimgateway is already evaluating another headerX-Forwarded-Forfor allowlisted ip-addresses
Regards, Jarle
The main concern is not exposing internal host info. Its reassuring that you're not aware of IDPs using the information. Either of the approaches you suggest would work for us, the first would be simpler to set up.
Now fixed. Ref:
Change log
v4.4.4
[Added]
- New configuration: scim.skipMetaLocation
true or false, default false. If set to true,meta.locationwhich contains protocol and hostname from request-url, will be excluded from response e.g."{...,meta":{"location":"https://my-company.com/<...>"}}. If using reverse proxy and not including headersX-Forwarded-ProtoandX-Forwarded-Host, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.
Below is an example of nginx reverse proxy configuration supporting SCIM Gateway ipAllowList and correct meta.location response:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;