We recently performed a DNS Flip on a Rails application integration environment. We've set example-1.com as a CNAME pointing at A record example-2.com. The service at example-2.com is a Ruby on Rails application with Apache and Passenger Phusion. On top of Apache we are using OpenId-Connect (specifically the mod_auth_openidc module).
When we try to access example-1.com directly, everything works fine. But when we try to do so through example-2.com, we get the following error:
[Thu Aug 27 19:56:37.202141 2020] [auth_openidc:error] [pid 23165]
[client xx.xx.xxx.xx:29188] oidc_authenticate_user: the URL hostname
(example-1.com) of the configured OIDCRedirectURI does not match the URL hostname
of the URL being accessed (example-2.com): the "state" and "session" cookies will
not be shared between the two!
In our .confd files, we have the OIDC_REDIRECT_URI = "https://example-1.com/redirect".
We think we may have to use Apache to rewrite part of the request to resolve this, but we're not entirely sure. Does anyone know the best way forward?
you can use a relative value for the OIDCRedirectURI, so:
OIDCRedirectURI /redirect
as the docs state:
(Mandatory) The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served. You can use a relative URL like /protected/redirect_uri if you want to support multiple vhosts that belong to the same security domain in a dynamic way
#OIDCRedirectURI https://www.example.com/protected/redirect_uri