use relative OIDCRedirectURI where applicable

[johrstrom]

Use relative OIDCRedirectURI where applicable, i.e., when not using a proxy server.

This is for partial support for #3442 - at least the OIDC bit.

[johrstrom]

This may have been a bug unrelated to relative or absolute URIs.

You see here that OIDCProviderMetadataURL is the proxy_server, but OIDCRedirectURI was the servername. I assume we'd want the OIDCRedirectURI to be the proxy, not the origin server. could it be that nobody runs dex behind a proxy and so nobody has encountered this?

[treydock]

I'm not sure I follow, why not use relative for proxy too? I think the address seen by IDP like Keycloak or Dex would be the address that a user was using to access the OnDemand instance and that is configured to redirect back to after authentication.

[johrstrom]

I'm not sure I follow, why not use relative for proxy too? I think the address seen by IDP like Keycloak or Dex would be the address that a user was using to access the OnDemand instance and that is configured to redirect back to after authentication.

I guess my thinking was that apache may not know or use the proxy name. It seems to me that apache would use HTTP_HOST (the apache servername) not HTTP_FORWARDED_FOR (the proxy servername) (or similar IDK if that's the real header name).

I'll re-read the documentation to see if it's smart enough to generate the proxy name.

[johrstrom]

Looks like you're right - their oidc_get_current_url_host helper function can toggle off of forwarded for headers.

https://github.com/OpenIDC/mod_auth_openidc/blob/9ac1e205962dff01a557425c03840712722c82a9/src/util.c#L704-L712

[johrstrom]

I'll update the PR because it does catch this edge case for proxies, so I can simplify it.