bug: returnUrl not propogated by location header during a redirect on openid-connect plugin #11937
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Current Behavior
When openid-connect does a redirect, it does not propogate returnUrl as part of 'Location' header, though it does seem to store returnUrl information as part of session cookie and upon login, it lands to returnUrl page correctly.
Issue happens if user does not perform login operation actually but retracts and does some other information, that would consider the returnUrl from Location header based on that wants to land on returnUrl page.
Here we can see that returnUrl does not get appended as queryParam as part of Location header.
Expected Behavior
We would expect returnUrl to be appended as queryParam as part of Location header so that it is propogated and can be made use of for subsequent operations.
Error Logs
@juzhiyuan , @yardenshoham - Please take a look
Steps to Reproduce
- name: route-auth-login-apisix
id: route-auth-login-apisix
uris :
- /auth/authenticate-user
- /auth/logout
- /auth/login
- /auth/login/v2
plugins:
proxy-rewrite:
_meta:
disable: false
headers:
remove:
- x-kong-username
- x-kong-userid
- user_context
- user_context_encoded
- userid
- username
- x-userinfo
- x-access-token
- x-id-token
set:
x-kong-userinfo: $http_x_userinfo
x-apisix-latency: $request_time
x-apisix-location: '/auth/login'
x-forwarded-host: $http_x_host_header
host: $http_x_host_header
Accept-Encoding: ''
env-host: $env_host
tfcom-request-domain: $http_x_host_header
tfcom-request-env: $request_env
X-Nginx-Request-ID: $request_id
x-nginx-region: $AWS_REGION
x-webserver-region: $AWS_REGION
x-app-region: $AWS_REGION
server_domain: $server_name
use_real_request_uri_unsafe: false
return-url-register:
_meta:
disable: true
openid-connect:
client_id: iQNigGp5De3AaIfNhgNj_eyE
client_secret: f3zxMY0XDYohTj6Vrdz-xFat20NaGmMqD0O6YKUg917mALUqE6ySdvoVO2XsMj2SAkmHGbX1RDHrdYEG1O5Qmw
discovery: https://qa-identity.thermofisher.com/api-gateway/identity-authorization/identity/oidc/op/.well-known/openid-configuration
scope: openid profile email username address
timeout: 10
session:
secret: njA76aG3n7EgrjgzpvwnBuyWEACZ2CTW
cookie:
lifetime: 3600
logout_redirect_uri: https://www.qa.thermofisher.com
ssl_verify: false
accept_none_alg: false
accept_unsupported_alg: true
force_reauthorize: false
renew_access_token_on_expiry: false
revoke_tokens_on_logout: true
use_nonce: true
logout_path: /auth/logout/oidc
post_logout_redirect_uri: https://www.qa.thermofisher.com
redirect_uri: /auth/login/v2
authorization_params:
regRedirectUri: https://www.qa.thermofisher.com/auth/login/create
signInRedirectUri: https://www.qa.thermofisher.com/auth/login
#returnUrl: "${test}"
# mktConsent: false
# companyEmailCheck: false
set-identity-headers:
_meta:
disable: false
upstream_headers_claims:
- sub
- username
upstream_headers_names:
- x-kong-userid
- x-kong-username
user_info_header_name: x-kong-userinfo
priority: 15
Other problem here is that opnid-connect does not seem to have a way to pass returnUrl dynamically.
Environment
APISIX version (run apisix version): 3.9.1
Operating system (run uname -a): Kubernetes-compatible Linux x86
OpenResty / Nginx version (run openresty -V or nginx -V):
etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info): 3.5.10
APISIX Dashboard version, if relevant:
Plugin runner version, for issues related to plugin runners:
LuaRocks version, for installation issues (run luarocks --version):
The text was updated successfully, but these errors were encountered: