2

I am trying to set up OpenID Connect IdP-SP pair on a VPS on 2 different subdomains. I successfully managed to make different implementations work on local environment but on the server they don't. I am currently using the certified node.js implementations.

The behavior on the server is the following:

  1. I click log in on the Service Provider
  2. I am redirected to the Identity Provider
  3. I click authorize
  4. I am redirected properly back to the Service Provider but I am not logged in

There are 2 possible causes I suspect:

  1. the IdP although hosted on https, on it's discovery endpoint (/.well-known/openid-configuration), it sends information about the other endpoints with http prefixed. This causes to switch back and forth between http and https during the authentication process

  2. When I tried PHP implementations I noticed that even though the Service Provided was able to successfully acquire an authorization code, it failed to exchange it at the

I have no idea how to debug this and figure the source of the problem. Any recommended course of action?

sapountzis
  • 23
  • 4
  • If you are using proxy server on front of nodejs like ngnix, apache2 or IIS, then you need to manually replace protocol keyword by yourself. I usually have two configuration files where protocol is defined, production replaces http with https. – Ako Jun 27 '20 at 11:21
  • I am using nginx on top of apache – sapountzis Jun 27 '20 at 11:22
  • Well, there seems to be the problem. If ngnix routs to local server, it uses http protocol if not set otherwise. Using internally https is just waste of resoruces. So you need to replace the URLs protocol manually. – Ako Jun 27 '20 at 11:25
  • Thanks. I will try that and come back with an update. – sapountzis Jun 27 '20 at 11:26
  • @Ako I disabled the nginx-apache proxy so I ended up with nginx only. It still doesn't work. The IdP discovery endpoint (/.well-known/openid-configuration) still thinks it is hosted on http. – sapountzis Jun 30 '20 at 13:25
  • Sorry was away, did you manage to solve the issue? – Ako Aug 12 '20 at 22:55
  • 1
    Not sure what was the issue exactly but part of it was timezone inconsistency causing the authentication cookie to expire immediately. Anyways, thanks for the help. – sapountzis Aug 13 '20 at 05:38

0 Answers0