Payara icon indicating copy to clipboard operation
Payara copied to clipboard
verified publisher icon payara

Enhancement: Respect X-Forwarded-Proto header in OpenIdAuthenticationMechanism

Open kapinyajudit opened this issue 1 year ago • 2 comments

Brief Summary

We have a Java web application using OIDC authentication, running on Payara 6 in a Dockerized environment, deployed to Azure as an AppService. The application runs internally with HTTP while Azure converts incoming traffic to HTTPS. Payara Security compares the incoming request URL directly with the configured URL, leading to a mismatch due to protocol differences. Azure adds the X-Forwarded-Proto header to the request indicating that originally it was HTTPS, but Payara does not respect that.

Expected Outcome

The OpenIdAuthenticationMechanism should accurately compare request URLs with configured OIDC Redirect URLs, respecting the X-Forwarded-Proto header.

Current Outcome

"OpenID Redirect URL https://my-url does not match with the request URL http://my-url" is logged and user is not authenticated.

Alternatives

Instead of

 if (!request.getRequestURL().toString().equals(redirectURI)) {

I propose a more sophisticated solution that respects the X-Forwarded-Proto header:

    private boolean isRequestURLMatching(HttpServletRequest request, String redirectURI) {
        String forwardedProto = request.getHeader("X-Forwarded-Proto");
        String requestURL = request.getRequestURL().toString();

        // If the request is forwarded via HTTPS, adjust requestURL
        if ("https".equalsIgnoreCase(forwardedProto)) {
            requestURL = "https://" +
                    request.getServerName() +
                    (request.getServerPort() != 80 && request.getServerPort() != 443 ? ":" + request.getServerPort() : "") +
                    request.getRequestURI();
        }

        return requestURL.equals(redirectURI);
    }

Context

No response

kapinyajudit avatar Apr 25 '24 10:04 kapinyajudit

Hello @kapinyajudit,

Thank you for reporting this issue. As you already have a proposed solution for this issue, could you please create a PR that our engineering team will analyse? Thank you in advance, and I apologise for answering this late to this issue.

Best regards, Felix

felixif avatar May 14 '24 10:05 felixif

Greetings, It's been more than 5 days since we requested more information or an update from you on the details of this issue. Could you provide an update soon, please? We're afraid that if we do not receive an update, we'll have to close this issue due to inactivity.

github-actions[bot] avatar May 20 '24 00:05 github-actions[bot]

Greetings, It's been more than 5 days since this issue was identified as abandoned. We have closed this issue due to inactivity, please feel free to re-open it if you have more information to share.

github-actions[bot] avatar May 26 '24 00:05 github-actions[bot]