1

We recently performed a DNS Flip on a Rails application integration environment. We've set example-1.com as a CNAME pointing at A record example-2.com. The service at example-2.com is a Ruby on Rails application with Apache and Passenger Phusion. On top of Apache we are using OpenId-Connect (specifically the mod_auth_openidc module).

When we try to access example-1.com directly, everything works fine. But when we try to do so through example-2.com, we get the following error:

[Thu Aug 27 19:56:37.202141 2020] [auth_openidc:error] [pid 23165] 
[client xx.xx.xxx.xx:29188] oidc_authenticate_user: the URL hostname 
(example-1.com) of the configured OIDCRedirectURI does not match the URL hostname 
of the URL being accessed (example-2.com): the "state" and "session" cookies will 
not be shared between the two!

In our .confd files, we have the OIDC_REDIRECT_URI = "https://example-1.com/redirect".

We think we may have to use Apache to rewrite part of the request to resolve this, but we're not entirely sure. Does anyone know the best way forward?

ykirloskar
  • 51
  • 1
  • 7

1 Answers1

4

you can use a relative value for the OIDCRedirectURI, so:

OIDCRedirectURI /redirect

as the docs state:

(Mandatory) The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served. You can use a relative URL like /protected/redirect_uri if you want to support multiple vhosts that belong to the same security domain in a dynamic way

#OIDCRedirectURI https://www.example.com/protected/redirect_uri

Hans Z.
  • 50,496
  • 12
  • 102
  • 115