after SSO returning to OIDCRedirectURI header has "location" as private ReverseProxyURL set

[janeerikengels]

Hello, Im bilding a sso for our application in Azure: WAF -> 2 x apache 2.4 reverse proxies with OIDC 2.4.11.3 -> 2 x wildfly application servers and an internet based SSO service somewhere else provided by our customer.
Calling your application over the internet switches successfully to the SSO service and it is redirecting back to OIDCRedirectURI

While processing ORIDCredirectURI the location switches to the reverse Proxy URL and the browser "stays" there

This Url is private and should not show up in the Browser URL. The reverse proxy does not know what to do with it and will stay there with "page not found". Manualy editing the URL back to the Internet URL of our application with bring up our GUI -- I think the authentication was valid after all.

Virtual host apache:

<VirtualHost *:444>
ServerName .cloudapp.azure.com

ProxyRequests On
ProxyPreserveHost On
RequestHeader set Host .cloudapp.azure.com
RewriteEngine On
SSLProxyEngine on
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

RewriteEngine On
RewriteOptions Inherit

<Proxy balancer://myset>
BalancerMember https://productnameAPPa1.productname-app1.private.poc.azure.com:15881 route=productname_instance_1
BalancerMember https://productnameAPPa2.productname-app1.private.poc.azure.com:15881 route=productname_instance_2
ProxySet stickysession=IID
ProxyPreserveHost On
Order deny,allow
Allow from all

ProxyPass "/" "balancer://myset/"
ProxyPassReverse "/" "balancer://myset/"

Header add Set-Cookie "productnameID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

OIDCProviderMetadataURL https://SSOprovider.com/.well-known/openid-configuration
OIDCRedirectURI https://our azure behind WAF.cloudapp.azure.com/imageMaster/redirect_uri
OIDCClientID ccID
OIDCClientSecret 86SECRET
OIDCCryptoPassphrase QPASSPHRASE
OIDCScope "openid"
OIDCCookiePath /
OIDCCookieDomain our azure behind WAF..cloudapp.azure.com
OIDCCookieSameSite On
OIDCPassCookies BIGipServerRD_000_POOL_STD_CCV_DMS_INT
OIDCSessionInactivityTimeout 10800
OIDCHTMLErrorTemplate /var/wwww/html/PRODUCTNAME/conf/PRODUCTNAMEinternet.html
OIDCRemoteUserClaim sub
OIDCAuthNHeader X-Forwarded-User
OIDCStateTimeout 10800
OIDCXForwardedHeaders X-Forwarded-Host

Header always set X-Frame-Options "sameorigin"
RequestHeader set X-Forwarded-Proto "https" early
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Host "our azure behind WAF.cloudapp.azure.com"

<Location /Productname>
AuthType openid-connect
Require valid-user
SetOutputFilter INFLATE;DEFLATE

SSLEngine on
SSLCertificateFile /etc/ssl/certs/PRODUCTNAMEproxa2.x509.crt
SSLCertificateKeyFile /etc/ssl/private/PRODUCTNAMEproxa2.key
#SSLCertificateChainFile /home/apache/ssl-PRODUCTNAME/ca-bundle.crt

Any idea what happens there? Any help?

[zandbelt]

I guess the logs would tell you that the "current URL" is not detected correctly, most probably because it needs a correct X-Forwarded-Host header, which - since it is not set by the actual reverse proxy - probably have an "early" flag just like you did for X-Forwarded-Proto

[janeerikengels]

I have spend HOURS ... just trying to fix this -> the early helped!
Thank you!