Getting HTTP redirect URI despite X-Forwarded-Proto being HTTPS.

[ipsi]

Hey folks,

I'm trying to setup FreshRSS which uses this module to enable OIDC, and I'm having some issues getting it work. Specifically, I believe this module is redirecting the browser to the OIDC server (Authelia, in my case) but specifying http://freshrss.example.com/i/oidc as the redirect_url param, where it should be using https:

• GET https://freshrss.example.com responds with 302 → https://freshrss.example.com/i/?rid=684f3434e5da9
• GET https://freshrss.example.com/i/?rid=684f3434e5da9 responds with 302 → https://sso.example.com/api/oidc/authorization?response_type=code&scope=openid%20profile%20groups%20email&client_id=freshrss&state=Pi-WuYmW-p53E8wAihSo4-PSPEw&redirect_uri=http%3A%2F%2Ffreshrss.example.com%2Fi%2Foidc%2F&nonce=sVviq-R1t-X2rCglT5PHL2Y2x4o2pEFd3EhzWKh6SpI

Note the redirect_uri in the second response. I use Caddy as a reverse proxy, which is sending through x-forwarded-proto=https in the headers, so I'm a bit stumped as to why this is happening. Apache Configuration:

<IfDefine OIDC_ENABLED>
        <IfModule !auth_openidc_module>
                Error "The auth_openidc_module is not available. Install it or unset environment variable OIDC_ENABLED."
        </IfModule>

        # Workaround to be able to check whether an environment variable is set
        # See: https://serverfault.com/questions/1022233/using-ifdefine-with-environment-variables/1022234#1022234
        Define VStart "${"
        Define VEnd "}"

        OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL}
        OIDCClientID ${OIDC_CLIENT_ID}
        OIDCClientSecret ${OIDC_CLIENT_SECRET}

    OIDCSessionInactivityTimeout ${OIDC_SESSION_INACTIVITY_TIMEOUT}
    OIDCSessionMaxDuration ${OIDC_SESSION_MAX_DURATION}
    OIDCSessionType ${OIDC_SESSION_TYPE}

        OIDCRedirectURI /i/oidc/
        OIDCCryptoPassphrase ${OIDC_CLIENT_CRYPTO_KEY}

        Define "Test_${OIDC_REMOTE_USER_CLAIM}"
        <IfDefine Test_${VStart}OIDC_REMOTE_USER_CLAIM${VEnd}>
                OIDCRemoteUserClaim preferred_username
        </IfDefine>
        <IfDefine !Test_${VStart}OIDC_REMOTE_USER_CLAIM${VEnd}>
                OIDCRemoteUserClaim "${OIDC_REMOTE_USER_CLAIM}"
        </IfDefine>
        Define "Test_${OIDC_SCOPES}"
        <IfDefine Test_${VStart}OIDC_SCOPES${VEnd}>
                OIDCScope openid
        </IfDefine>
        <IfDefine !Test_${VStart}OIDC_SCOPES${VEnd}>
                OIDCScope "${OIDC_SCOPES}"
        </IfDefine>
        Define "Test_${OIDC_X_FORWARDED_HEADERS}"
        <IfDefine !Test_${VStart}OIDC_X_FORWARDED_HEADERS${VEnd}>
                OIDCXForwardedHeaders ${OIDC_X_FORWARDED_HEADERS}
        </IfDefine>

        # Can be overridden e.g. in /var/www/FreshRSS/p/i/.htaccess
        OIDCRefreshAccessTokenBeforeExpiry 30
</IfDefine>

The relevant environment variables are:

OIDC_SCOPES=openid profile groups email
OIDC_SESSION_MAX_DURATION=0
OIDC_PROVIDER_METADATA_URL=https://sso.example.com/.well-known/openid-configuration
OIDC_CLIENT_ID=freshrss
OIDC_CLIENT_SECRET=<secret>
OIDC_CLIENT_CRYPTO_KEY=<secret>
OIDC_ENABLED=1
OIDC_X_FORWARDED_HEADERS=X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto

If anyone has any suggestions for what's going on here, that would be appreciated!

Associated FreshRSS bug: FreshRSS/FreshRSS#7658

[zandbelt]

the server debug logs would show you what is happening i.e. if the header really is received etc.

[ipsi]

As is so often the casel, after fiddling with my configuration to enable debug logging it magically started working, and now I can't get it to fail again even after reverting back to the original configuration 😬 Very, very strange!