Issue with SSL and Oauth2 provider w/ Azure

Hello,

I have an issue where my return URL declared on Azure for an Oauth2 workflow is returned with a port 80 added to it, and of course, there is a mismatch that breaks the authentication.

Here is how I declare the URL:

Here is what is returned:
https://login.microsoftonline.com/vmware.com/oauth2/v2.0/authorize?response_type=code&client_id=79be0823-bf61-4d46-9457-e75fa3067d2c&scope=User.Read Mail.Send offline_access&redirect_uri=https://acorro-sandbox.apps.xxx.io:80/dmxConnect/api/O365/Grant.php&state=c2f81bbb3ade2513f1f27002f7d0770802da2badb2b1f84d3c599a6ba1addd55&return_url=https://acorro-sandbox.apps.xxx.io/index.php

It’s the https://acorro-sandbox.apps.xxx.io:80/ that is a problem.

And here is how the step is configured in the API action - I’ve tried both with an without SSL enforced, I get the same behavior.

This seems to affect only my production environment, the only thing that seems a little bit odd is the ndd with a ‘nested’ subdomain.

After some research, it looks like my host is behind a reverse proxy with its SSL offloaded.
Looking at the Oauth2.php file :

the code is making a few assumptions that don’t support SSL offloading - it adds back in the ‘local’ port (80 in my case) to the ‘external’ URL (the redirectUrl) believing it to be a ‘custom’ or non-standard port for the HTTPS protocol. The HTTPS flag is generally set to On, even for SSL offloaded sites, but in the latter the traffic is coming from port 80.

Here is an example of what would be done for SSL Offloading scenarios: https://www.lullabot.com/articles/setting-up-ssl-offloading-termination-on-an-f5-bigip-load-balancer
–> $_SERVER[‘HTTPS’] can be set to On to help the web application be re-assured that the traffic from the client has been sent over HTTPS protocol. But from the web server perspective, the traffic could come in on port 80.

Is this something we could look into @patrick, @George and @Teodor ?

Hi!
Please let me know the update on this issue.
Now I also face the same issue and stuck on it.
Kindly advise me if you could successfully done with it.

We should probably do some proxy detection. An other option is to use the web url that you already have set in the project settings to generate the url. We have to think about which option is best. I will make a small update for the proxy detection and post it here later.

Almost all proxies set the header X_FORWARDED_PROTO which we can use to detect if the https is handled by the proxy and then generate the correct uri.

Changed the code for the redirect uri to:

protected function getRedirectUri() {
  $https = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on';
  $port = $_SERVER['SERVER_PORT'];
        
  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    // SSL offloaded by proxy
    $https = TRUE;
  }

  $url = 'http';
  $url .= $https ? 's' : '';
  $url .= '://';
  $url .= $_SERVER['SERVER_NAME'];
  $url .= ($port == '80' || $port == '443') ? '' : ':' . $port;
  $url .= parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);

  return $url;
}

The updated file: Oauth2.zip (3.2 KB)

Could you please advise how I can do for node.js project for Oauth2?
Thanks

NodeJS already has proxy detecting. We set the trust proxy setting to true, so it should get the correct protocol when your proxy sets the X_FORWARDED_PROTO header.

http://expressjs.com/en/api.html#req.protocol

Could you please guide me how I can achieve to work SSL and Oauth2 provider for wappler with node.js project? I want to achieve by hosting node.js project on IIS and also want to use SSIL Oauth2 provider with Azure.

Thanks in advance

Does it generate an incorrect redirect uri for you or do you have an other problem?

• host node.js project on IIS server with reverse proxy and then run pm2

• After that, when open O365 login API from IIS server, cannot display Microsoft login page because port is old wappler default port and not IIS port. Other API are OK except that Oauth2

Thanks in advance