relative path in OIDCProviderAuthorizationEndpoint

[PavelTrushkin]

Hi,

• keycloak 18 behind apache reverse proxy with hostname-strict=false
• apache + mod_auth_openidc

everything is works while we handle requests (web auth) to known public server address but this device can have multiple addresses and we don't know these addresses (because of proxies, forwarding tunnels, etc) , so, question:

ideal solution is relative path in OIDCProviderAuthorizationEndpoint (understand this is unsecure etc etc) but it is disabled explicitly in oidc_check_config_openid_openidc

any alternative solution ?

[zandbelt]

I don't think that would be a solution: the module redirects to OIDCProviderAuthorizationEndpoint so it needs to be aware of that location; a relative path does not solve that since we're dealing with an external location, as opposed to OIDCRedirectURI, that is served from the same Apache server as the module is on

[PavelTrushkin]

thank you for the reply, i exactly know this works, keycloak is located on the same namespace and last kc versions can parse x-forwarded-host to construct correct url, if replace

AP_INIT_TAKE1(OIDCProviderAuthorizationEndpoint,
oidc_set_https_slot, ...
to

AP_INIT_TAKE1(OIDCProviderAuthorizationEndpoint,
oidc_set_relative_or_absolute_url_slot,

module allows relative path in OIDCProviderAuthorizationEndpoint and generates this reply

curl -ki https://localhost

HTTP/1.1 302 Found
Location: /auth/realms/

i just want to know may be alternative solution is exists and do not require code modification

thanks!

[zandbelt]

there's no alternative, and it shouldn't need one because the "external" URL should be fixed, also for security purposes; you're on your own with this

[PavelTrushkin]

I don't know external url - device (and keycloak) public url is dynamic or forwarded using secure tunnels :(