Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-2235

APIcast should strip standard ports for http/https on requests

    XMLWordPrintable

Details

    • No
    • +

    Description

      When APIcast sends a request to "http://someurl:80" or "https://someurl:443" the port is included in the host header.

      This causes a problem, especially with integration for RH SSO, because most tools will strip these ports "80/443" from the host header.

      So say a user requests a token from RH SSO using curl, Postman, etc and they include the port "https://rhsso-url:443", the tools will strip the port ":443" before sending the request. This means that the user will end up with a token for issuer "https://rhsso-url".

      However, if the user has configured their API service OpenID Connect Issuer with the same url "https://rhsso-url:443", as our docs state to include the port, then APIcast will fetch the openid configuration using "rhsso-url:443" as the host header and it will then receive a configuration with an issuer of "https://rhsso-url:443" which then fails the issuer claim check.

      So in order to align with most tools, we should strip these standard ports to avoid these types of issues.

      Relevant code:
      https://github.com/3scale/APIcast/blob/6f6aeb034e0c388c9280c6e259f4ff9303be859f/gateway/src/resty/http_ng/request.lua#L23

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rhn-support-spoole Shannon Poole
              Eloy Coto Eloy Coto
              Eloy Coto Eloy Coto
              David Rajnoha David Rajnoha
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: