I have a quarkus ui (qute/oidc) that calls out to /redirects users to Keycloak for auth. I have traditionally had little issue with this, as I was not using a reverse proxy.
However, I am trying to move to using a path-based reverse proxy, and that seems to be messing with redirects.
For reference:
https://<host>/infra/keycloak //works fine, access is dandy
https://<host>/core/base-station -> proxy strips prefix of "/core/base-station" when proxying request, passes `x-forwarded-prefix` header. Works.
The issue that arises is that you end up getting redirected back to /core/base-station/core/base-station/... instead of /core/base-station/.... This doubling up of the prefix obviously causes a 404.
Looking at the url on the Keycloak sign in, the redirect_url parameter looks correct with /core/base-station/overview. In turn, Keycloak appears to send me back to base station (UI) appropriately. However, The second redirect Quarkus does after dealing with the state token sends the user to the doubled-up path. Accessing the correct path after this results in seeing the ui as expected.
Trying a few configs:
# proxy
quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-x-forwarded=true
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.enable-forwarded-prefix=true
# OIDC
# quarkus.oidc.authentication.redirect-path=/core/base-station # Causes double-prefix before state processed instead of after
quarkus.oidc.authentication.cookie-path=/core/base-station/
quarkus.oidc.authentication.cookie-suffix=core-base-station
Log from final redirect of OIDC flow, showing prefixing:
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][1138e231afaded3aa69a94a09a08a530| |ee1333c5bf637bd2|true ][io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-6 ]():: Starting the final redirect
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [INFO ][ | | | ][io.qu.ht.access-log |vert.x-eventloop-thread-6 ]():: 192.168.122.1 - - [01/Feb/2025:18:16:26 +0000] "GET /core/base-station/overview?state=1df174fd-d9ee-4713-9beb-44c0950cf1bc&session_state=6f0a26d9-2bda-4610-94c7-cd4d0c7c1c96&iss=https%3A%2F%2Foqm-test-us-24-04.local%2Finfra%2Fkeycloak%2Frealms%2Foqm&code=efbd2d7d-e06d-47db-bb11-f23f89b9abef.6f0a26d9-2bda-4610-94c7-cd4d0c7c1c96.94f2e76a-5118-442b-9b79-532bde13982d HTTP/1.1" 302 -
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][ | | | ][io.qu.ve.ht.ru.ForwardedParser |vert.x-eventloop-thread-6 ]():: Using X-Forwarded-Proto to set scheme to https
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][ | | | ][io.qu.ve.ht.ru.ForwardedParser |vert.x-eventloop-thread-6 ]():: Using oqm-test-us-24-04.local to set host to oqm-test-us-24-04.local and port to -1
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][ | | | ][io.qu.ve.ht.ru.ForwardedParser |vert.x-eventloop-thread-6 ]():: Using X-Forwarded-Prefix to prefix URI /core/base-station/overview with prefix /core/base-station
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][ | | | ][io.qu.ve.ht.ru.ForwardedParser |vert.x-eventloop-thread-6 ]():: Using X-Forwarded-Port to set port to 443
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][ | | | ][io.qu.ve.ht.ru.ForwardedParser |vert.x-eventloop-thread-6 ]():: Using X-Forwarded-For to set for host to 192.168.122.1 and for port to 60342
Feb 01 18:16:26 oqm-test-us-24-04 bash[217459]: 18:16:26 [DEBUG][ | | | ][io.qu.ve.ht.ru.ForwardedParser |vert.x-eventloop-thread-6 ]():: Recalculated absoluteURI to /core/base-station/core/base-station/overview
Turning off quarkus.http.proxy.enable-forwarded-prefix and setting quarkus.oidc.authentication.redirect-path to the prefix ends up with a final result of a redirect loop between keycloak and quarkus constantly going through the oidc flow.
Anything I can do to make the second redirect handle appropriately, or otherwise make this work?