OpenID-connect redirect_uri incorrect protocol

Hi all,

I’m trying to support my colleagues in Cairo who have set up a DHIS2 instance with our AzureAD OpenID-Connect. The integration starts off OK, but for some reason the redirect_uri that gets sent to login.microsoft.com is http://edr.emro.who.int/oauth2/code/{tenant_id}, but the site is under https://.

They’ve offloaded https to NginX, and so I guess we could rewrite the header there.

Does anybody here have any idea why DHIS2 is sending a redirect_uri with http:// as the protocol?

We’ve set

server.https = on

We’ve also set the correct base_url and the correct

oidc.provider.azure.0.redirect_baseurl = https{etc}

Thanks in advance if anybody can help

Hey @markjaroski, thanks for reaching out and I hope you’ll find your answer here. I hope you and your friends in Cario can share your experiences in the CoP too. :grin: Is AzureAD the best option for you? What challenges do you face and how would you rate the service? Any story to share with the community is welcome. :blush::+1:

@morten does this have to do with integration? Thanks!

Hi

Our IDP is Azure. We don’t have any choice, so we have to make that work.

My question for the community is this: why is the redirect_uri being set to the http version of the base URL even though we’ve specified the HTTPS version?

Best, and happy holidays to all who are celebrating,

Mark

Well, that gives me the name of the person I need to talk with. Is Morton on this forum?

Hi
I hope that works for you. I asked about OpenID-connect … and maybe the reason behind the issue. However, while the right person gets back to you, would you add more details to your post?

As much information as possible so they know how to help you. Please refer to this post:

Best wishes,
@Gassim

For what it’s worth we’re going by this documentation: System Administration Guide - DHIS2 Documentation

1 Like

I checked the code out from github, and it looks like this is a documentation bug. It looks like the correct property name is:

oidc.provider.azure.0.redirect_url

It’s constructed here, in org.hisp.dhis.security.oidc.provider.AzureProfider.java:

builder.redirectUri( StringUtils.firstNonBlank(
            properties.getProperty( propertyPrefix + REDIRECT_URL ),
            DEFAULT_REDIRECT_TEMPLATE_URL ) );

And REDIRECT_URL, is inherited from AbstractProvider.java here:

    public static final String REDIRECT_URL = "redirect_url";

So I’ll fork, and submit a pull request for a change in the documentation.

2 Likes

It’s good to know that OpenID Connect is now supported so I’ll update those posts. Thank you for referencing the documentation.

If this solves the issue then we can mark it as solved thanks to you. :blush::+1:

@phil this solves the problem? Thanks!

I’m not 100% sure yet. I’m getting mixed reports, and of course today is not a working day in Cairo.

I’m setting a DHIS2 lab so I can test.

Thanks for the PR @markjaroski !

I’ve assigned it to the developer to review.

1 Like

I hope it’s right. I’m starting to worry though, because I’m hearing mixed results. I’m not 100% sure that we have the right version, and it’s already the weekend for the colleague who manages this.

I’ll try to talk with them on Sunday/Monday.

Yes, please. It’s solved. The PR is correct.

1 Like

Thank you very much. I’m glad you figured it out and helped the community too.

1 Like