Solutions

IG (All versions) redirects to HTTP when deployed on Apache Tomcat with a reverse proxy doing SSL/TLS offloading

Last updated Aug 10, 2020

The purpose of this article is to provide assistance if IG redirects to a URL using the http protocol instead of the expected https protocol. You may see "SSL is required in order to perform this operation" in the logs as well. This issue occurs when IG is protecting a resource using OIDC, and is deployed on Apache Tomcat™ with a reverse proxy or load balancer (such as Nginx) doing SSL/TLS offloading in front of IG.

Symptoms

After IG redirects to AM during the OIDC flow, you notice that the redirect_uri parameter shows a URL that uses the http protocol instead of https.

The following error may be shown in the route -auth log when this happens:

10:29:16:889 | ERROR | http-bio-8080-exec-4 | o.f.o.f.o.c.OAuth2ClientFilter | error="invalid_request", error_description="SSL is required in order to perform this operation"

Recent Changes

Configured IG to use OIDC.

Configured a reverse proxy or load balancer in front of IG to offload SSL/TLS.

Causes

When OAuth2 is being used with IG (via the OAuth2ClientFilter), IG sees the request in HTTP and consequently sets the redirect_uri to the HTTP version. This causes an error because the redirect_uri is configured for an HTTPS URL. This is a known issue: OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS).

Solution

This issue can be resolved using one of the following options:

  • Configure Tomcat for SSL offloading - this option is simple to implement and is suitable if all routes have the same external URL.
  • Configure a route with a ScriptableFilter to manipulate the originalUri value - this option allows per route definition but is more complex to set up.

Configure Tomcat for SSL offloading

You can configure Tomcat for SSL offloading by specifying the proxyName, proxyPort and scheme attributes in the <Connector> element in the server.xml file, for example:

    <Connector
	    port="8080"
	    protocol="HTTP/1.1"
	    connectionTimeout="20000"
	    redirectPort="8443" 
	    proxyName="proxy.example.com"
	    proxyPort="443"
	    scheme="https"
	/>

See Apache Tomcat 8 - Proxy Support How-To for further information.

Configure a route with a ScriptableFilter

You can configure a route with a ScriptableFilter to manipulate the originalUri value. The originalUri is used when creating the redirection URI. Essentially, the script needs to take the X-Forwarded headers, rewrite the originalUri and set that in the Location header. The Service Broker documentation provides a scripted solution that manipulates the originalUri value before the OAuth2ClientFilter is called, which you can use as an example to get started: User Guide › Preparing IG for ForgeRock Service Broker

See Also

Configuration Reference › OAuth2ClientFilter

User Guide › Preparing IG for ForgeRock Service Broker

Related Training

N/A

Related Issue Tracker IDs

OPENIG-3913 (Provide more flexibility around the generation of the OAuth2ClientFilter clientEndpoint URIs)

OPENIG-3748 (When SSL is offloaded before IG, the redirect is HTTP and not HTTPS)

OPENIG-2571 (OAuth2ResourceServerFilter requireHttps=true applies to rebased request URI)

OPENIG-1664 (Provide support for basic URI path rewriting)

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...