Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache2 OIDC and reverse proxy for tomcat application #1103

Closed
aashishagarwal opened this issue Sep 8, 2023 Discussed in #1102 · 1 comment
Closed

Apache2 OIDC and reverse proxy for tomcat application #1103

aashishagarwal opened this issue Sep 8, 2023 Discussed in #1102 · 1 comment
Labels
invalid

Comments

@aashishagarwal
Copy link

Discussed in #1102

Originally posted by aashishagarwal September 7, 2023
We are trying to integrate Apache2 OIDC with Forgerock .
And we have several java/.net app where requests will be proxied based on the path.

I have tried lot of things but not able to make this work. I am confused about RedirectURI, not sure what that url should be, it should HTTP header 204 (No content) or a not valid URL which doesn't exist.

My config is available below,
Apache running on 80
Tomcat running on 8080 context path /test
when I hit http://host-ip/test , it goes to forgerock and get authenticated and comes back to redirect url
request flow :

  1. GET http://<host-ip>/test status code 302
  2. GET http://<forgerock> with redirect uri and client id status code 302
  3. After authentication at forgerock, GET - http://<host-ip>/test/callback status code 200
  4. Another request, POST - http://<host-ip>/test/callback status code 500

There is no real url exist which can return 200 on http://<host-ip>/test/callback
on tomcat following paths are available : /test, /test/hello, /test/listHeaders

Apache Config

`<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
   
    LoadModule auth_openidc_module  /usr/lib/apache2/modules/mod_auth_openidc.so
    OIDCProviderMetadataURL https://<foregorck>/fgram/oauth2/.well-known/openid-configuration

    OIDCProviderJwksUri https://<foregorck>/fgram/oauth2/connect/jwk_uri
    OIDCOutgoingProxy <proxy_host:proxy_port>
    OIDCClientID <client_id>
    OIDCClientSecret <secret>
    # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
    OIDCRedirectURI http://<host-ip>/test/callback
    OIDCCryptoPassphrase secret

    OIDCScope "profile openid groups"

    <Location />
        AuthType openid-connect
        <LimitExcept OPTIONS>
            AuthType openid-connect
            Require valid-user
        </LimitExcept>
    </Location>
    <Location /test>
        AuthType openid-connect
        <LimitExcept OPTIONS>
            AuthType openid-connect
            Require valid-user
        </LimitExcept>
        ProxyPreserveHost On
        ProxyPass http://<host-ip>:8080/test/
        ProxyPassReverse http://<host-ip>:8080/test/
        LogLevel Debug
    </Location>

`

can someone please help me to understand what's incorrect in this whole flow. What should be my redirectURI in this case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aashishagarwal