OpenID-connect redirect_uri incorrect protocol

markjaroski · 6 May 2021 17:14

Hi all,

I’m trying to support my colleagues in Cairo who have set up a DHIS2 instance with our AzureAD OpenID-Connect. The integration starts off OK, but for some reason the redirect_uri that gets sent to login.microsoft.com is http://edr.emro.who.int/oauth2/code/{tenant_id}, but the site is under https://.

They’ve offloaded https to NginX, and so I guess we could rewrite the header there.

Does anybody here have any idea why DHIS2 is sending a redirect_uri with http:// as the protocol?

We’ve set

server.https = on

We’ve also set the correct base_url and the correct

oidc.provider.azure.0.redirect_baseurl = https{etc}

Thanks in advance if anybody can help

Gassim · 6 May 2021 20:34

Hey @markjaroski, thanks for reaching out and I hope you’ll find your answer here. I hope you and your friends in Cario can share your experiences in the CoP too. Is AzureAD the best option for you? What challenges do you face and how would you rate the service? Any story to share with the community is welcome.

@morten does this have to do with integration? Thanks!

markjaroski · 7 May 2021 00:08

Hi

Our IDP is Azure. We don’t have any choice, so we have to make that work.

My question for the community is this: why is the redirect_uri being set to the http version of the base URL even though we’ve specified the HTTPS version?

Best, and happy holidays to all who are celebrating,

Mark

markjaroski · 7 May 2021 05:35

Well, that gives me the name of the person I need to talk with. Is Morton on this forum?

Gassim · 7 May 2021 05:43

Hi
I hope that works for you. I asked about OpenID-connect … and maybe the reason behind the issue. However, while the right person gets back to you, would you add more details to your post?

As much information as possible so they know how to help you. Please refer to this post:

Best wishes,
@Gassim

markjaroski · 7 May 2021 07:21

For what it’s worth we’re going by this documentation: System Administration Guide - DHIS2 Documentation

markjaroski · 7 May 2021 08:03

I checked the code out from github, and it looks like this is a documentation bug. It looks like the correct property name is:

oidc.provider.azure.0.redirect_url

It’s constructed here, in org.hisp.dhis.security.oidc.provider.AzureProfider.java:

builder.redirectUri( StringUtils.firstNonBlank(
            properties.getProperty( propertyPrefix + REDIRECT_URL ),
            DEFAULT_REDIRECT_TEMPLATE_URL ) );

And REDIRECT_URL, is inherited from AbstractProvider.java here:

    public static final String REDIRECT_URL = "redirect_url";

So I’ll fork, and submit a pull request for a change in the documentation.

Gassim · 7 May 2021 10:33

It’s good to know that OpenID Connect is now supported so I’ll update those posts. Thank you for referencing the documentation.

Gassim · 7 May 2021 10:39

If this solves the issue then we can mark it as solved thanks to you.

Gassim · 7 May 2021 12:58

@phil this solves the problem? Thanks!

markjaroski · 7 May 2021 13:15

I’m not 100% sure yet. I’m getting mixed reports, and of course today is not a working day in Cairo.

I’m setting a DHIS2 lab so I can test.

phil · 7 May 2021 13:40

Thanks for the PR @markjaroski !

I’ve assigned it to the developer to review.

markjaroski · 7 May 2021 15:50

I hope it’s right. I’m starting to worry though, because I’m hearing mixed results. I’m not 100% sure that we have the right version, and it’s already the weekend for the colleague who manages this.

I’ll try to talk with them on Sunday/Monday.

markjaroski · 8 May 2021 10:57

Yes, please. It’s solved. The PR is correct.

Gassim · 8 May 2021 15:29

Thank you very much. I’m glad you figured it out and helped the community too.