lokesh-lingarajan commented on pull request #11502: URL: https://github.com/apache/druid/pull/11502#issuecomment-888661264
@himanshug - We are using classic load balancer with vanilla configuration (nothing in the config is disabling x-forwarding, not sure if we can disable it too). https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-elb-listenerconfig-quickref.html Tested the setup again and see the first redirect URL generated by Druid looks something like Location: https://dev-xxxxxxx.okta.com/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=code&redirect_uri=http%3A%2F%2Fdruid-lab.xxxxxx.cloud%3A8888%2Fdruid-ext%2Fdruid-pac4j%2Fcallback&state=MFvzwAZ_tCI5NLOmnV6w8Hgkj-rrAMJI2EWsLwPpzuc&nonce=xKhMtopqO6zR9dJus0tWRGNYXClvkPsaJuFUJb8Zx_M&client_id=0oa14f62kujIBNrtj5d7 If we look at the redirect url inside the response it still is http instead of https. Below is the code for computing this url public String compute(String url, WebContext context) { if (this.completeRelativeUrl) { boolean relativeUrl = url != null && !url.startsWith("http") && !url.startsWith("https"); if (context != null && relativeUrl) { StringBuilder sb = new StringBuilder(); sb.append(context.getScheme()).append("://").append(context.getServerName()); boolean notDefaultHttpPort = ContextHelper.isHttp(context) && context.getServerPort() != 80; boolean notDefaultHttpsPort = ContextHelper.isHttps(context) && context.getServerPort() != 443; if (notDefaultHttpPort || notDefaultHttpsPort) { sb.append(":").append(context.getServerPort()); } sb.append(url.startsWith("/") ? url : "/" + url); return sb.toString(); } } return url; } Line that builds url - sb.append(context.getScheme()).append("://").append(context.getServerName()); gets the correct DNS name from web context but it picks up the Scheme as http, this is because the communication between ELB and Druid is on http and jetty server is configured that way. So as soon as Druid sends this redirect, okta errors out with the following message The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: https://dev-XXXXXXX-admin.okta.com/admin/app/oidc_client/instance/0oa14f62kujIBNrtj5d7#tab-general I tried another experiment where I made the redirect URL in okta app "http" instead of "https", this worked fine from okta perspective, but it failed to resolve the dns as expected. So this is clearly okta rejecting the request as its see the inner payload stating redirect url as http but getting the actual data over https protocol. One question - you had mentioned this setup worked for you in the past, was your druid setup on https as well ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
