-
Bug
-
Resolution: Done
-
Major
-
2.4 GA, 2.9 GA
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
No
-
+
When APIcast sends a request to "http://someurl:80" or "https://someurl:443" the port is included in the host header.
This causes a problem, especially with integration for RH SSO, because most tools will strip these ports "80/443" from the host header.
So say a user requests a token from RH SSO using curl, Postman, etc and they include the port "https://rhsso-url:443", the tools will strip the port ":443" before sending the request. This means that the user will end up with a token for issuer "https://rhsso-url".
However, if the user has configured their API service OpenID Connect Issuer with the same url "https://rhsso-url:443", as our docs state to include the port, then APIcast will fetch the openid configuration using "rhsso-url:443" as the host header and it will then receive a configuration with an issuer of "https://rhsso-url:443" which then fails the issuer claim check.
So in order to align with most tools, we should strip these standard ports to avoid these types of issues.
Relevant code:
https://github.com/3scale/APIcast/blob/6f6aeb034e0c388c9280c6e259f4ff9303be859f/gateway/src/resty/http_ng/request.lua#L23
- links to