getProxyHeaderAwareRequestURL in OAuth2AuthenticationService
rolandc85 opened this issue · comments
Summary
I'm using a Zuul Proxy to forward the URL e.g. http://localhost:8080/auth/* to http://localhost:8081/auth/* which my api application is running on.
I'm unable to send out the correct redirect URI to facebook.
Actual Behavior
redirect URI sent out is http://localhost:8081/auth/facebook
Expected Behavior
redirect URI sent out should be http://localhost:8080/auth/facebook
I have checked the code in OAuth2AuthenticationService.class
In the method
String host = request.getHeader("Host");
if (StringUtils.isEmpty(host)) {
return request.getRequestURL();
}
StringBuffer sb = new StringBuffer();
String schemeHeader = request.getHeader("X-Forwarded-Proto");
String portHeader = request.getHeader("X-Forwarded-Port");
String scheme = StringUtils.isEmpty(schemeHeader) ? "http" : schemeHeader;
String port = StringUtils.isEmpty(portHeader) ? "80" : portHeader;
if (scheme.equals("http") && port.equals("80")){
port = "";
}
if (scheme.equals("https") && port.equals("443")){
port = "";
}
sb.append(scheme);
sb.append("://");
sb.append(host);
if (StringUtils.hasLength(port)){
sb.append(":");
sb.append(port);
}
sb.append(request.getRequestURI());
return sb;
the host variable returns localhost:8081.
Instead it should take into account the X-Forwarded-Host with the following code:
String forwardedHost = request.getHeader("X-Forwarded-Host");
host = StringUtils.isEmpty(forwardedHost) ? request.getHeader("Host") : forwardedHost
Lastly, handling of the port in the url should take into consideration these few points:
- The port if any is in the host variable.
- The X-Forwarded-Host OR Host (If not using Proxy) is already the final url redirected from facebook/other social platform. Therefore, there is no need to append the PORT
The below is my proposed solution:
protected StringBuffer getProxyHeaderAwareRequestURL(HttpServletRequest request) {
String forwardedHost = request.getHeader("X-Forwarded-Host");
String host = StringUtils.isEmpty(forwardedHost) ? request.getHeader("Host") : forwardedHost
if(StringUtils.isEmpty(host)) {
return request.getRequestURL();
} else {
StringBuffer sb = new StringBuffer();
String schemeHeader = request.getHeader("X-Forwarded-Proto");
String forwardedHost = request.getHeader("X-Forwarded-Host");
String scheme = StringUtils.isEmpty(schemeHeader)?"http":schemeHeader;
String appendedHost = StringUtils.isEmpty(forwardedHost)?request.getHeader("Host"):forwardedHost;
sb.append(scheme);
sb.append("://");
sb.append(host);
sb.append(request.getRequestURI());
return sb;
}
}
However this still does fully solve the problem if proxy maps e.g. http://localhost:8080/abc to http://localhost:8081/auth