Allow specifying FQDN of OOD portal for OIDC compatibility with reverse proxy
Closed this issue · 5 comments
In what area(s)?
/area ood
Describe the feature
I am trying to run OOD behind a reverse proxy using OIDC authentication so that I can easily switch between AZHop deployments (for dev/test purposes) when needed. I should just be able to point the reverse proxy to the new deployment when it's ready. However, all of the redirect uri requests (for the callback) coming from the OOD portal have the randomly generated FQDN (something like: ondemandXXXXXXXX.eastus.cloudapp.azure.com) instead of maintaining the FQDN of the reverse proxy. I need to be able to specify the FQDN or make sure that OOD understands that it is behind a reverse proxy.
I think this should be straight-forward based on the docs (https://osc.github.io/ood-documentation/latest/how-tos/app-development/interactive/setup/enable-reverse-proxy.html), but I don't see where AZHop has a setting to enable running behind a reverse proxy nor provides any instructions in the documentation on best-practices for using this with OIDC.
Any ideas on how this might be possible with v1.0.40? Could this feature be added?
I guess a more relevant question is just how to set the FQDN for the OOD setup? Because right now I always get a 301 (permanent redirect) to the auto-generated FQDN instead:
$ curl --insecure https://my.fqdn.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://ondemandXXXXXXXX.eastus.cloudapp.azure.com:443/">here</a>.</p>
</body></html>
There is a way to specify the OOD FQDN in the configuration file. Does this helps https://azure.github.io/az-hop/deploy/index#use-your-own-ssl-certificate ?
This only helps a little because it doesn't really seem to propagate into most of the OOD installation process.
For example, after I configure the reverse proxy and then try to connect, I get a 500 Internal Server Error.
Looking into the logs on the OOD VM, I see this information:
[Thu May 30 23:00:24.913385 2024] [auth_openidc:error] [pid 22722:tid 140698430994176] [client XXX.XXX.XXX.XXX:55692] oidc_authenticate_user: the URL hostname (ondemandXXXXXXXX.eastus.cloudapp.azure.com) of the configured OIDCRedirectURI does not match the URL hostname of the URL being accessed (my.fqdn.com): the "state" and "session" cookies will not be shared between the two!
So, it's trying to complete the OIDC authentication, but the OOD servername doesn't match the FQDN in config.yml (even though I have it set to my.fqdn.com).
When I look at playbooks/group_vars/all.yaml, I find the randomly generated FQDN is still set there (ondemand_fqdn: ondemandXXXXXXXX.eastus.cloudapp.azure.com), even though I have used my.fqdn.com for the ondemand.fqdn setting in config.yml.
I still seem to be missing something to make this work...
It appears that the ondemand.fqdn option is only used (or effective) when using locked_down_network.public_ip=false?
My reverse proxy is located outside of Azure (and I would like to keep it that way for the time-being if at all possible). So, I am having trouble seeing how I might get this to work with OIDC since I would need expose port 443 on the OOD VM to the outside world in some other way? (This is assuming that the above settings work and are indeed the anticipated way to set the FQDN.)
I was able to make some modifications to the ansible playbooks to get things working for my specific use-case. I'll try to identify a way to make things work with public_ip=false sometime in the future. Thank you @xpillons for the suggestion above.