After IG redirects to AM during the OIDC flow, you notice that the redirect_uri parameter shows a URL that uses the http protocol instead of https.
The following error may be shown in the route -auth log when this happens:
10:29:16:889 | ERROR | http-bio-8080-exec-4 | o.f.o.f.o.c.OAuth2ClientFilter | error="invalid_request", error_description="SSL is required in order to perform this operation"
Configured IG to use OIDC.
Configured a reverse proxy or load balancer in front of IG to offload SSL/TLS.
When OAuth2 is being used with IG (via the OAuth2ClientFilter), IG sees the request in HTTP and consequently sets the redirect_uri to the HTTP version. This causes an error because the redirect_uri is configured for an HTTPS URL. This is a known issue: OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS).
This issue can be resolved using one of the following options:
- Configure Tomcat for SSL offloading - this option is simple to implement and is suitable if all routes have the same external URL.
- Configure a route with a ScriptableFilter to manipulate the originalUri value - this option allows per route definition but is more complex to set up.
Configure Tomcat for SSL offloading
You can configure Tomcat for SSL offloading by specifying the proxyName, proxyPort and scheme attributes in the <Connector> element in the server.xml file, for example:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" proxyName="proxy.example.com" proxyPort="443" scheme="https" />
See Apache Tomcat 8 - Proxy Support How-To for further information.
Configure a route with a ScriptableFilter
You can configure a route with a ScriptableFilter to manipulate the originalUri value. The originalUri is used when creating the redirection URI. Essentially, the script needs to take the X-Forwarded headers, rewrite the originalUri and set that in the Location header. The Service Broker documentation provides a scripted solution that manipulates the originalUri value before the OAuth2ClientFilter is called, which you can use as an example to get started: User Guide › Preparing IG for ForgeRock Service Broker.