I have a basic python Dash (flask) application running with vouch and nginx configured, and Okta as my SSO provider.

The issue I am facing is when there is not currently any vouch cookie set, and I try to reach my application from the Okta chicklet, I get a vouch 400 Bad Request with no jwt found in request in the logs (I am already signed in to okta). If I navigate to the app's url directly in a new browser tab, then the whole vouch/okta flow seems to work fine, and I end up getting a VouchCookie set and I can access my application. Then subsequently, If I go back to Okta and click on the app's chicklet again, I am successfully routed to my application because a vouch cookie was set previously when I directly navigated to the app's url.

How can I get the vouch/okta flow to work properly if clicking form the Okta chicklet for the first time without a vouch cookie having been set yet?

I have everything running in containers with docker-compose on an AWS EC2 right now. I am not using SSL right now, just trying to get everything else working for now.

I have included links to logs and config gists below.

Logs: https://gist.github.com/airpaio/a29191d4fe52fd79bb458c0a86c4eca7
Vouch Config: https://gist.github.com/airpaio/0df27b9240f656361dff1f0f81f14b81
NginxConfig: https://gist.github.com/airpaio/ab498461d07bd481a9bdb5a8661e7a48

This seems related to discussion in #313.

I understand that there are some redirection checks in place to address security concerns, but would it be acceptable to implement a vouch.login_redirect_uris_whitelist in the config, and skip those whitelisted uri in this badStrings filter? This would leave the redirection security risks up to the user.
Are there any other suggestions you have that could resolve my issue without making this implementation?

closing in favor of #313 (dup)