I use Quarkus and its OIDC extension to allow users to authenticate via Google. When the quarkus apps is exposed to the public everything works great. Now I want to put it behind a proxy. And that's where things fail
When Quarkus constructs the redirect URL to send to Google as a part of its OAuth flow, it is including the internal URL that it is listening on, which Google then rejects because it doesn't match the registered redirect url.
Part of how to mitigate this is to set this config in the quarkus application.orperties:
quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-forwarded=false
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.forwarded-host-header=X-Forwarded-Host
When I do this, Quarskus indeed sends the external URL to Google. But it sends the internal port instead of the external port. That means if the exernal URL is https://gold.com and the internal URL is https://internal.products.io:9443, Quarkus sends https://gold.com:9443 to Google.
So my question is how do I force Quarkus to send the external port? I know Apache has following headers it can forward:
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Proto
Is there a way to tell Quarkus to use the port that the proxy would provide through the header?
I did not configure Apache to forward the port. I somehow believed that it was automagically forwarding the port as it does with the hostname. This was a false assumption.
So I added this to my apache virtual host:
RequestHeader set X-Forwarded-Port "443"
This works well with the Quarkus configuration depicted above.