3

I am trying to set up WSO2 Identity Server behind a reverse proxy for SSL offloading. For example, let's say if WSO2 IS is available at say https://<some-ip>:9443/, I am trying to put it behind reverse proxy with address such as https://<domain name>/is/. Note the context path /is and SSL port 443. I thought that this will be trivial enough but sadly I am unable to find any conclusive documentation for achieving the same.

My applications are using OIDC to connect to WSO2 IS and using Azure Application Gateway as reverse proxy - typically all API calls works well but neither of UI (or flows involving redirections) works due to context. I can also fix redirects by URL rewriting at reverse proxy but that still doesn't solve problems. For example, login page will appear but XHR call from the same will go to /logincontext instead of /is/logincontext. Where can I set up the proxy context path in WSO2 IS? I already tried setting the same in .toml file (equivalent of setting it in carbon.xml) but it seems to be affecting only Management Portal.

WSo2 IS documentation talks about setting it up behind ngnix but that documentation is not using any path context. I could find reverse proxy documentation for other WSO2 product such as WSO2 API Manager but it only involves updating carbon.xml and that doesn't work for WSO2 IS. I am not a java person and hence, finding it difficult to figure out web app organization of WSO2.

Any help/link to documentation/guide to set up with proxy context will be useful.

Community
  • 1
  • 1
VinayC
  • 47,395
  • 5
  • 59
  • 72
  • Did you find the answer? I'm getting an error when try to login on carbon `carbon/admin/js/csrfPrevention.js not found` I believe is that is not set the context. – Aldo Inácio da Silva Aug 19 '22 at 12:54
  • 1
    @AldoInáciodaSilva, this was some time back.. but no complete solution was found. We were able to get auth flows working by use of rewrites at reverse proxy and minor changes in WSO2 html code. However, we cannot make carbon (WSO2 admin) application work on some context. We had exposed it on non-standard port w/o context (e.g. 9443) - because our use of WSO2 Admin was internal (no public exposure), we deemed this to be adequate solution for time being. I have since left the org but we were also evaluating alternate products - the most promising one was [Keycloak](https://www.keycloak.org/) – VinayC Aug 21 '22 at 05:37

2 Answers2

2

I know that this answer comes a little bit late but recently I had a similar issue and here it is how I made it work, maybe it could be helpful for someone. I was using WSO2 IS 5.11.0.

Note: I checked similar questions on stackoverflow and found a few but none was enough by itself for my case. Maybe the solution I came up with is not the best or the most correct but it is the only one I could make work.

Here's how I did, assuming the context path is is:

  1. Open Carbon Management Console and go to Identity Providers -> Resident. Then, go to Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Here, change the hostname under Identity Provider Entity ID to https://domain_name:443/is/<remaining path>. Make sure that the port number is present or absent both here and in the client application. If there is a mismatch between the two, for some reason, it won't work (or at least it didn't for me).

  2. Open the file deployment.toml and modify it as follows:

    • under the [server] section, add your proxy context at the end of the base_path url, e.g. base_path = "https://$ref{server.hostname}:${carbon.management.port}/is";

      of course, also add proxy_context_path = "is" (actually, this last line should be enough but for some reason in my case it wasn't, so I had to modify the base path too);

    • under [transport.https.properties] add proxyPort="443".

    For the record, I also turned off compression, by adding:

    [transport.http.properties]
compression="off"
[transport.https.properties]
...
compression="off"

    and set the token issuer URL equal to the entity id set up in Carbon, with:

    [oauth]
use_entityid_as_issuer_in_oidc_discovery = true

    but found out that these last two steps (turning off compression and setting the entity id as issuer) weren't needed.

  3. Disable the csrf guard by setting org.owasp.csrfguard.Enabled = false in the file /repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2. This step was necessary for me to avoid the 403 Error after logging in on the Carbon Console (turning off compression didn't work).

  4. Lastly, if you use nginx as reverse proxy (as I did), add these two lines in the location used for wso2:

     proxy_redirect https://domain_name/oauth2/ https://domain_name/is/oauth2/;
 proxy_redirect https://domain_name/carbon/ https://domain_name/is/carbon/;

    These are needed (or at least were for me) because some URLs are not under the context path. In particular, the last one allows you to open the Carbon Console at https://domain_name/is/carbon/.

References:

wso2 api manger carbon page gives 403 Forbidden

WSO2 Identity Server login returns a 403

WSO2 Identity Server port configuration

To understand the template-based configuration model adopted from version 5.9.0 onwards, see: https://apim.docs.wso2.com/en/latest/reference/understanding-the-new-configuration-model/ https://mcvidanagama.medium.com/understand-wso2-api-managers-new-configuration-model-6425a2710faa

Here are some useful configuration mappings from the old xml to the new toml based model: https://github.com/ayshsandu/samples/tree/master/config-mapping

Fabio Nardelli
  • 135
  • 2
  • 11
0

In addition to the answer from @fabio-nardelli, the following git issue has references on the fixes done for this (which was targeted for WSO2IS 6.0 release)

https://github.com/wso2/product-is/issues/10380

Sajith
  • 1,240
  • 8
  • 15