Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-10864

Login via OIDC does not respect SERVER_HOSTNAME (=> broken URLs)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • quay-v3.16.2
    • -area/auth, config-tool, quay
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Problem 1: Add http://quay/oauth2/auth0/callback as valid Callback-URL to my OIDC provider, so Quay does not crash on start-up

       

      Problem 2: Set the Host header, in addition to the X-Forwarded-Host header, at the reverse-proxy level.

      Show
      Problem 1: Add http://quay/oauth2/auth0/callback as valid Callback-URL to my OIDC provider, so Quay does not crash on start-up   Problem 2: Set the Host header, in addition to the X-Forwarded-Host header, at the reverse-proxy level.
    • Hide

      Problem 1:

      1. Configure a OIDC provider in Quay that does strict callback URL validation
      2. Start Quay and see it crash and print out the config validation table with a 'invalid_client' error

       

      Problem 2:

      1. Configure a reverse-proxy in front of Quay, responsible for TLS termination, that does not copy/fake the Host header (e.g. set it to [::1]) (and only sets X-Forwarded-Host)
      2. Login using a OIDC provider and see it use the Host header to redirect at the very end to different address than configured in SERVER_HOSTNAME
      Show
      Problem 1: Configure a OIDC provider in Quay that does strict callback URL validation Start Quay and see it crash and print out the config validation table with a 'invalid_client' error   Problem 2: Configure a reverse-proxy in front of Quay, responsible for TLS termination, that does not copy/fake the Host header (e.g. set it to [::1] ) (and only sets X-Forwarded-Host) Login using a OIDC provider and see it use the Host header to redirect at the very end to different address than configured in SERVER_HOSTNAME

      Hello,

      I have configured an on-premise Quay instance and configured it to use an 'authentik' instance as OIDC provider/server.

      Quay is running behind a nginx reverse proxy handling TLS termination.

       

      I identified two critical cases where URLs for Quay are not generated correctly and do not use the configured SERVER_HOSTNAME value.

      1. When Quay is starting and validating its configuration, the Callback-URL [{{http://quay/oauth2/auth0/callback}}] is generated.
        • I assume `quay` is taken from the container's hostname.
          I expected a https URL using SERVER_HOSTNAME.
          'auth0' is also not correct. Quay does not seem to use the OpenID Connect Auto-Discovery to generate the correct Callback-URL
        • => I have to add [{{http://quay/oauth2/auth0/callback}}] as allowed Callback-URL in my OIDC provider, otherwise Quay will crash on start-up
      2. At the end of a login flow using my OIDC provider, I am redirected to Quay at {{{}/oauth2/MY_PROVIDER_NAME/callback?code=
        {}}}Where I am authenticated.
        But the header location: https://[::1]/ sends me to the wrong address
        • It looks like the final redirect after the login is using the Host-Header instead of the SERVER_HOSTNAME config option
          • This is highly unexpected to me, as my setup only sets the X-Forwarded-Host header by default.
          • The workaround is setting the Host header on the reverse-proxy

              Unassigned Unassigned
              spraxdev Christian Koop
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: