[Bug]: OIDC Adds ":" to redirect URI even though no port is specified in URL.

[benshalev849]

Version

3.7.0

What Kubernetes platforms are you running on?

Openshift

Steps to reproduce

We are deploying the NGINX as usual and using the "NGINX OIDC" policy.
When using it and diving into some of the code we saw that the redirect URI automatically adds a : in the redirect URI which can break it and doesn't make much sense. (In our env it's a problem since specifying ports is not allowed in redirect_uris.)

As seen in the following file on line 6-9: internal/configs/oidc/oidc_common.conf

We saw that there is mapping of the redirect URI based on $server_port and $http_x_forwarded_port.

When using HTTPS there is no port "specified" thus if our domain is: my-oidc-tests.com it will result in the following redirect URI: https://my-oidc-tests.com:/_codexch which breaks our SSO provider.

We think a better solution is adding the : and a port only when it actually exists or even have an option to toggle it on or off.

I opened under a bug because we are not sure if this is intended behaviour (the default adding of : into the URI or not.)

Thank you :)

[github-actions]

Hi @benshalev849 thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[haywoodsh]

Hi @benshalev849, in NGINX Ingress Controller, the redirect URI is restricted to be the same host as the virtual server. Can you share the OIDC policy and virtual server yaml you were deploying?

[benshalev849]

It is the same host, the main problem is it adding the : to the end which seems weird when no port specificed.
So in the below example the redirect URI will be:

https://ben.oidc.com:/nginx-oidc (with ':')

https://ben.oidc.com/nginx-oidc

The oidc policy:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: oidc-policy
spec:
  oidc: 
    clientID: test-ben
    authEndpoint: <sso_endpoint>/protocol/openid-connect/auth
    tokenEndpoint: <sso_endpoint>/protocol/openid-connect/token
    jwksURI: : <sso_endpoint>/protocol/openid-connect/certs
    endSessionEndpoint: : <sso_endpoint>/protocol/openid-connect/logout
    scope: openid+profile+email
    accessTokenEnable: true
    redirectURI: /nginx-oidc

The VS:

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: my-oidc-vs
spec:
  host: ben.oidc.com
  policies:
    -name: oidc-policy
  tls: {}
  upstreams:
    - name: backend
       service: simple-http-backend
       port: 8080
  routes:
    - path: /
       action:
         pass: backend

[haywoodsh]

We recently introduced the integration test for OIDC in our pipeline to ensure it functions correctly in our standard environment. https://github.com/nginx/kubernetes-ingress/blob/main/tests/suite/test_oidc.py
Therefore, I would assume the issue you are experiencing is specific to your environment, and it would be difficult for us to accommodate every possible deployment scenario. That said, would you mind sharing more information about your environment, such as which identity platform you are using?

[benshalev849]

@haywoodsh

I have specified in the issue the lines of code where the mapping adds the : by default, it's here: internal/configs/oidc/oidc_common.conf

map $http_x_forwarded_port $redirect_base {
    ""      $proto://$host:$server_port;
    default $proto://$host:$http_x_forwarded_port;
}

This means that if no server port or http_x_forwared port is specified it will still add the ":" hardcoded hence resulting the the bad redirect URI containing a : in it even though no port is specified.

The OIDC works and redirects, it just adds to the redirect URI the : which causes problems when adding redirect URIs in our env

[vepatel]

Hi @benshalev849 , i've just tried the provided OIDC example and had no issues with missing port:

"GET /realms/master/protocol/openid-connect/auth?response_type=code&scope=openid+profile+email&client_id=nginx-plus&redirect_uri=https://webapp.example.com:443/_codexch&nonce=Vz_xUynfsv4L1EX7SLstOoUs0qbs6y67pfr6zZUVaQE&state=0 HTTP/1.1" 200 4974 "https://webapp.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" "-"

Would you mind providing us with your IDP configuration and platform info please?

[jjngx]

@benshalev849 could you please let us know what IDP and config you use?

[LiorVayness]

I'm a colleague of @benshalev849 so i will continue the conversation with you while he is gone :)
As an IDP we have Keycloak in our environment.
About the configs, we use the ones from ben's response:

The oidc policy:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: oidc-policy
spec:
  oidc: 
    clientID: test-ben
    authEndpoint: <sso_endpoint>/protocol/openid-connect/auth
    tokenEndpoint: <sso_endpoint>/protocol/openid-connect/token
    jwksURI: : <sso_endpoint>/protocol/openid-connect/certs
    endSessionEndpoint: : <sso_endpoint>/protocol/openid-connect/logout
    scope: openid+profile+email
    accessTokenEnable: true
    redirectURI: /nginx-oidc

The VS:

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: my-oidc-vs
spec:
  host: ben.oidc.com
  policies:
    -name: oidc-policy
  tls: {}
  upstreams:
    - name: backend
       service: simple-http-backend
       port: 8080
  routes:
    - path: /
       action:
         pass: backend

The configmap looks like so:

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
  namespace: nginx-ingress
data:
  resolver-addresses: dns-default.openshift-dns.svc.cluster.local
  resolver-valid: 5s
  access-log-off: 'False'
  http2: 'True'
  stream-snippets: |
    server {
        listen 12345;
        listen [::]:12345;
        zone_sync;
        zone_sync_server nginx-ingress-headless.nginx-ingress.svc.cluster.local:12345 resolve;
    }

On another note like @benshalev849 mentioned earlier when we tried to reach our test website we got the redirect_uri error from the Keycloak and we noticed that the redirectURI received in the url request what like so: redirect_uri=https://my-oidc-tests.com:/_codexch we haven't changed anything in the oidc config file.
if you need more config files let me know :)