Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Add info about SERVER_USEFORWARDHEADERS to SSO guide #1017

Closed
clocklear opened this issue Oct 26, 2021 · 4 comments · Fixed by #1181
Closed

Proposal: Add info about SERVER_USEFORWARDHEADERS to SSO guide #1017

clocklear opened this issue Oct 26, 2021 · 4 comments · Fixed by #1181
Assignees
@Haarolean
Labels
good first issue Up for grabs hacktoberfest status/accepted An issue which has passed triage and has been accepted type/documentation Improvements or additions to documentation

Comments

@clocklear
Copy link
Contributor

Is your proposal related to a problem?

I recently set up kafka-ui with MSK in ECS on AWS with the intent of using SSO with Auth0 to secure the application. I am terminating SSL on the load balancer; connections between the load balancer and the kafka-ui container are HTTP. Following the SSO guide, I set up only the environment variables that were relevant to SSO:

AUTH_ENABLED=true
SECURITY_BASIC_ENABLED=true
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTID=uhvaPKIHU4ZF8Ne4B6PGvF0hWW6OcUSB
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_AUTH0_CLIENTSECRET=YXfRjmodifiedTujnkVr7zuW9ECCAK4TcnCio-i
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_AUTH0_ISSUER_URI=https://dev-a63ggcut.auth0.com/

However, what I observed is that the redirect URI that was formed by the application and passed to Auth0 used the HTTP scheme instead of HTTPS, ostensibly because the connection between the LB and the app is non-TLS.

Describe the solution you'd like

After digging through a few articles online (and deducing that Spring Security is being used to facilitate authN/Z), I found that there is a Spring setting that must be enabled in my particular configuration that causes Spring to use the X-Forwarded-For headers to determine the originating scheme in order to form the correct redirect URI to pass to Auth0. By setting SERVER_USEFORWARDHEADERS to true, the application now properly handles my SSO authentication with Auth0. I propose that the SSO guide be augmented in such a way to call out the scenario in which SSL is terminated prior to the application (such as on a load balancer), the app may need to be configured to respect the X-Forwarded-For headers (which is apparently not the default).

(tl;dr -- the docs for SSO should suggest setting SERVER_USEFORWARDHEADERS to true when TLS is terminated by a proxy.)

Describe alternatives you've considered

None.

Additional context

More info can be found in this SO answer: https://stackoverflow.com/a/40879393
@clocklear clocklear added the type/enhancement En enhancement to an already existing feature label Oct 26, 2021
@Haarolean
Copy link
Contributor

Hi, thank you for the feedback (and contribution). We'll reflect the changes in the documentation soon.

@Haarolean Haarolean self-assigned this Oct 27, 2021
@Haarolean Haarolean added type/documentation Improvements or additions to documentation good first issue Up for grabs hacktoberfest status/accepted An issue which has passed triage and has been accepted and removed type/enhancement En enhancement to an already existing feature labels Oct 27, 2021
Haarolean added a commit that referenced this issue Dec 7, 2021
@Haarolean
Update SSO guide
f55b8dd 
Added information from #1017
@Haarolean Haarolean mentioned this issue Dec 7, 2021
Merged
13 tasks
Haarolean added a commit that referenced this issue Dec 7, 2021
@Haarolean
Update SSO guide
92edf80 
Added information from #1017
@Haarolean Haarolean linked a pull request Dec 7, 2021 that will close this issue
Update SSO guide #1181
Merged
13 tasks
@Haarolean
Copy link
Contributor

Thanks once again, done.

@clocklear
Copy link
Contributor Author

Thanks @Haarolean . I hate to be a PITA, but a few days ago I attempted to deploy the latest build of master and this guidance was no longer working for me. Digging deeper, it appears as if the server.use-forward-headers option was deprecated in Spring Boot 2.2 (and my guess is that kafka-ui has recently updated to a version of Spring Boot that finally has removed the setting).

The guidance from that project now is to use server.forward-headers-strategy=native, which would be setting SERVER_FORWARDHEADERSSTRATEGY=native in this project.

See https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.2-Release-Notes#deprecations-in-spring-boot-22.

@Haarolean Haarolean reopened this Dec 10, 2021
@Haarolean
Copy link
Contributor

@clocklear hey, yeah, we've updated boot some time ago. Thanks for this information, I'll update the docs.

javalover123 pushed a commit to javalover123/kafka-ui that referenced this issue Dec 7, 2022
@Haarolean
Update SSO guide
998e44e 
Added information from provectus#1017
gitbook-com bot pushed a commit that referenced this issue Apr 13, 2023
@Haarolean @gitbook-bot
GITBOOK-39: Add a FAQ regarding headers strategy (issue #1017)
3c9d088
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Haarolean Haarolean

Labels
good first issue Up for grabs hacktoberfest status/accepted An issue which has passed triage and has been accepted type/documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update SSO guide provectus/kafka-ui
2 participants
@clocklear @Haarolean