You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/07/28 22:28:00 UTC

[GitHub] [druid] lokesh-lingarajan edited a comment on pull request #11502: Adding custom callback url for pac4j config to support ssl termination at ELB

lokesh-lingarajan edited a comment on pull request #11502:
URL: https://github.com/apache/druid/pull/11502#issuecomment-888661264


   @himanshug  - We are using classic load balancer with vanilla configuration (nothing in the config is disabling x-forwarding, not sure if we can disable it too).  https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-elb-listenerconfig-quickref.html 
   
   Tested the setup again and see the first redirect URL generated by Druid looks something like
   
   Location: https://dev-xxxxxxx.okta.com/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=code&redirect_uri=http%3A%2F%2Fdruid-lab.xxxxxx.cloud%3A8888%2Fdruid-ext%2Fdruid-pac4j%2Fcallback&state=MFvzwAZ_tCI5NLOmnV6w8Hgkj-rrAMJI2EWsLwPpzuc&nonce=xKhMtopqO6zR9dJus0tWRGNYXClvkPsaJuFUJb8Zx_M&client_id=0oa14f62kujIBNrtj5d7
   
   If we look at the redirect url inside the response it still is http instead of https.
   
   Below is the code for computing this url
   
   public String compute(String url, WebContext context) {
       if (this.completeRelativeUrl) {
         boolean relativeUrl = url != null && !url.startsWith("http") && !url.startsWith("https");
         if (context != null && relativeUrl) {
           StringBuilder sb = new StringBuilder();
           sb.append(context.getScheme()).append("://").append(context.getServerName());
           boolean notDefaultHttpPort = ContextHelper.isHttp(context) && context.getServerPort() != 80;
           boolean notDefaultHttpsPort = ContextHelper.isHttps(context) && context.getServerPort() != 443;
           if (notDefaultHttpPort || notDefaultHttpsPort) {
             sb.append(":").append(context.getServerPort());
           }
           sb.append(url.startsWith("/") ? url : "/" + url);
           return sb.toString();
         }
       }
       return url;
     }
   
   Line that builds url - sb.append(context.getScheme()).append("://").append(context.getServerName());
   
   gets the correct DNS name from web context but it picks up the Scheme as http, this is because the communication between ELB and Druid is on http and jetty server is configured that way.
   
   So as soon as Druid sends this redirect, okta errors out with the following message
   
   The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: https://dev-XXXXXXX-admin.okta.com/admin/app/oidc_client/instance/0oa14f62kujIBNrtj5d7#tab-general
   
   I tried another experiment where I made the redirect URL in okta app "http" instead of "https", this worked fine from okta perspective, but it failed to resolve the dns as expected. So this is clearly okta rejecting the request as its see the inner payload stating redirect url as http but getting the actual data over https protocol.  
   
   One question - you had mentioned this setup worked for you in the past, was your druid setup on https as well ?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org