manyfold icon indicating copy to clipboard operation
manyfold copied to clipboard
verified publisher icon manyfold3d

HTTP/HTTPS in OIDC, HTTPS is never a valid redirect link when it should be provided, not HTTP

Open ShadowPeo opened this issue 3 months ago • 6 comments

I was unable to find this mentioned anywhere, so I am unsure if I have done something wrong, or whether it is a genuine bug.

Using Authentik to do OIDC, and the redirect URI is always HTTP, never HTTPS even though the manyfold instance is hosted via HTTPS exclusively. I have tried multiple combinations of PUBLIC_URL, PUBLIC_PORT and HTTPS_ONLY and none of them have worked and I have tested on multiple browsers, both in normal and private tabs both chromium and Mozilla based

I have had one other app do this, and they have confirmed it was/is a bug and fixed it so no idea if it is the same thing here, a missing configuration variable on my part, nor could I locate an appropriate bug report so if it is either of these I apologise.

The Manyfold Version is 0.127.1 (909cd7a0)

ShadowPeo avatar Oct 31 '25 07:10 ShadowPeo

Not sure if it's a bug or config problem, but I've heard this discussed before, though I can't find the thread(s) now. It might also be similar to https://github.com/manyfold3d/manyfold/issues/3810. I need to set up Authentik locally to work it out.

Floppy avatar Oct 31 '25 10:10 Floppy

Do you have a link to the other app and what discussion happened there?

Floppy avatar Oct 31 '25 10:10 Floppy

https://github.com/gramps-project/gramps-web-api/issues/712

ShadowPeo avatar Nov 03 '25 03:11 ShadowPeo

This is a set of environment vars from a working installation using Authentik and HTTPS - can you paste yours to compare?

OIDC_CLIENT_ID: <redacted>
OIDC_CLIENT_SECRET: <redacted>
OIDC_ISSUER: https://authentik.example.com/application/o/manyfold/
OIDC_NAME: Authentik 
FORCE_OIDC: FALSE
PUBLIC_HOSTNAME: stl.example.com

I think the key is setting PUBLIC_HOSTNAME but not the other stuff; note that PUBLIC_PORT and HTTPS_ONLY are not set.

(If any of that works for you, I think it points towards a problem probably with HTTPS_ONLY, because that should definitely be OK to set in this situation)

Floppy avatar Nov 05 '25 15:11 Floppy

The scheme for the redirect link is set in https://github.com/manyfold3d/manyfold/blob/main/config/initializers/devise.rb#L292, and completely depends on the setting of HTTPS_ONLY, and PUBLIC_HOSTNAME.

So, if HTTPS_ONLY is causing problems, then something's going very wrong.

Floppy avatar Nov 28 '25 09:11 Floppy

So having tested this a bit here, if you want a https redirect_url, you have to have set:

PUBLIC_HOSTNAME=your.domain.here
HTTPS_ONLY=enabled

PUBLIC_PORT should only be set if it's non-standard (i.e. not 443).

I'll update the documentation with more detail on this, but also will carry on trying to see if I can improve the way it generates the redirect URL to prefer HTTPS if available. That might need more configuration though; still thinking.

Floppy avatar Nov 28 '25 11:11 Floppy