IG (All versions) redirects to HTTP when a reverse proxy or load balancer is doing SSL/TLS offloading
The purpose of this article is to provide assistance if IG redirects to a URL using the http protocol instead of the expected https protocol. End-users may see "The information you're about to submit is not secure" warnings in the Chrome™ browser and you may see "SSL is required in order to perform this operation" in the logs as well. This issue occurs when IG is protecting a resource using OIDC with a reverse proxy or load balancer (such as Nginx) doing SSL/TLS offloading in front of IG.
Symptoms
After IG redirects to AM during the OIDC flow, you notice that the redirect_uri parameter shows a URL that uses the http protocol instead of https.
The information you're about to submit is not secure.
The following error may be shown in the route -auth log when this happens:
10:29:16:889 | ERROR | http-bio-8080-exec-4 | o.f.o.f.o.c.OAuth2ClientFilter | error="invalid_request", error_description="SSL is required in order to perform this operation"Recent Changes
Configured IG to use OIDC.
Configured a reverse proxy or load balancer in front of IG to offload SSL/TLS.
Causes
When OAuth2 is being used with IG (via the OAuth2ClientFilter), IG sees the request in HTTP and consequently sets the redirect_uri to the HTTP version. This causes an error because the redirect_uri is configured for an HTTPS URL. This is a known issue: OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS).
Solution
This issue can be resolved using one of the following options:
- Configure Apache Tomcat™ for SSL offloading - this option is simple to implement. It is suitable if all routes have the same external URL
and you have deployed IG on Tomcat. - Configure a route with a ScriptableFilter to manipulate the originalUri value - this option allows per route definition but is more complex to set up.
It is suitable for both IG in web container mode and in standalone mode (IG 7 and later).
Configure Tomcat for SSL offloading
You can configure Tomcat for SSL offloading by specifying the proxyName, proxyPort and scheme attributes in the <Connector> element in the server.xml file, for example:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" proxyName="proxy.example.com" proxyPort="443" scheme="https" />See Apache Tomcat 8 - Proxy Support How-To for further information.
Configure a route with a ScriptableFilter
You can configure a route with a ScriptableFilter to reconstruct the UriContext using the original URL details (originalUri). The originalUri is used when creating the redirection URI.
{ "type": "ScriptableFilter", "name": "RequestRebaserFilter", "comment": "Rebase the request to use the original scheme, host and port", "config": { "type": "application/x-groovy", "source": [ "Request newRequest = new Request(request);", "org.forgerock.util.Utils.closeSilently(request);", "newRequest.uri.scheme = request.headers['X-Forwarded-Proto'].firstValue", "newRequest.uri.host = request.headers['X-Forwarded-Host'].firstValue", "newRequest.uri.port = request.headers['X-Forwarded-Port'].firstValue as Integer", "newRequest.headers['Host'] = newRequest.uri.host;", "logger.info('Received request : ' + request.uri + ' rebased to ' + newRequest.uri);", "Context newRoutingContext = org.forgerock.http.routing.UriRouterContext.uriRouterContext(context).originalUri(newRequest.uri.asURI()).build();", "return next.handle(newRoutingContext, newRequest);" ] } },
Essentially, the script take the X-Forwarded headers, rewrites the originalUri and sets that in the Location header.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS)
OPENIG-2571 (OAuth2ResourceServerFilter requireHttps=true applies to rebased request URI)