Random incorrect redirection for authentication when behind proxy

[nneul]

Configuration:
:80 -> https redirect only
:81 -> http, with oidc auth config, backend port behind a proxy server
:443 -> https, with oidc auth config

I have both hardwired global (outside vhost) OIDCRedirectURI - with full URL (including protocol and port 443).
I have the same OIDCRedirectURI set inside the port 81 and port 443 vhosts.

I have: "RequestHeader set X-Forwarded-Port 443 early" in the vhost configuration on port 81 and port 443 vhosts, along with "X-Forwarded-Proto set https early". (early vs normal did not make any difference in behavior).

The behavior I see seems to depend on whether I'm coming in completely-null, or 'have an IDP session, but not for this server instance', but even that is not consistent -- but after hitting IDP after going to https://server on the proxy, it's redirecting back to https://server:81 (note that it gets the right proto, but wrong port).

If I bypass proxy and hit the server directly on 443, it works fine.

If I get redirected wrong, and then go the original URL again, it immediately let's me in, so it's definitely something about the redirection process where it's getting introduced, I do seem to be able to reproduce by clearing cookies for the site and then hitting the top https://server url again, at which point it kicks me to idp and immediately back to https://server:81

Any ideas on what to look at for this? I am inquiring on getting the X-Forwarded-Port send by the actual proxy in front of this apache instance, but I don't have that in place at this time. It was my understanding that doing it with the RequestHeader set should be sufficient, but it doesn't appear to be reliable.

[zandbelt]

you'll really need RequestHeader set X-Forwarded-Port 443 early along with OIDCXForwardedHeaders X-Forwarded-Port, see the release notes of 2.4.11 https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.11

[nneul]

Thank you!

[zandbelt]

for the record, when the X-Forwarded-Port is passed in - either through a proxy in front or by using RequestHeader early - and the OIDCXForwardedHeaders is not set to contain it, a warning is logged

[nneul]

Interesting, I've never seen any warning like that on my server logs. I did start seeing ones like this after the config change, but that's just for the non-proxy case.

[Wed Jan 24 19:18:00.682120 2024] [auth_openidc:warn] [pid 803044] [client 10.xx.xx.xx:57843] oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Port but not found in request, referer: https://origin.example.com/

[zandbelt]

well since you did not use early the header would not be visible to mod_auth_openidc

[nneul]

I wanted to put an update on this thread in case anyone else ran across it. I finally got this to reliably work. As near as I can see - setting OIDCXForwardedHeaders in this case does NOT work right/consistently if you put that directive in the global part of apache config. As soon as I put the config in the location section, I stopped getting user reports of the symptom with it redirecting wrong.

I haven't dug in further on it, but we've been running stable with no instances of the bad redirections since I made that change.