Hi.
Has anyone had the “OpenID Connect Authenticator” working behind a proxy where the public domain is different to the host on which xwiki is running?
In my specific case, the domains are actually the same but the external transport is HTTPS whilst xwiki is behind an RP and is running on HTTP. When the OIDC extension starts the authentication process, it does 2 things. It sets up a callback url and it also stores the original URL of the page the user was trying to access. The first part does consider what the public address is by using xcontext.getURLFactory().getServerURL(xcontext);
; however, the second step uses (eventually) XWiki.getRequestURL
which as far as I can tell does not take into account x-forwarded-host
or the xwiki.home
config in xwiki.cfg
as it uses getRequestURL
on HttpServletRequest
.
I’m going to investigate changing OIDC to use the external URL to build up the “original url” that it stores for later rather than using getRequestURL
.
I just wanted to make sure that I’m not missing some expected behaviour elsewhere that is not happening due to a misconfiguration or something or, that I’m running into a bug somewhere else within XWiki rather than this just being a functional issue of the OIDC extension.
If it’s agreed that this is an issue with the OIDC extension, I’ll get a Github issue raised and I’ll submit a PR once I have things working.
Thanks in advance,
Alex