Skip to content

Update proposed by a customer - Request for feedback #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Update proposed by a customer - Request for feedback #82

wants to merge 2 commits into from

Conversation

@jjngx
Copy link

@jjngx jjngx commented Jun 13, 2023

A customer asked to add a param: proxy_set_header Origin ""; to the oidc config used in the NIC.

We want open a discussion and get your team advise about possible implications.

@shaun-nx @haywoodsh and @vepatel were running a set of tests on our side.
@route443
Copy link
Contributor

route443 commented Jun 13, 2023

Hi @jjngx and thanks for the PR!

The OIDC itself does not define specific requirements for the Origin header, and its use is largely up to the IdP implementation. If origin header is undefined or empty in the OIDC context, this should not cause any issues unless the IdP has specific requirements for this header. So in theory we should be safe here. However, I have a few concerns:

  1. Regarding the specificity of the change to only the /_jwks_uri location block, it would be beneficial to fully understand why this change is necessary. If the customer is experiencing issues with Okta, they may also encounter them in other areas not yet covered by the PR. If this is an issue specific to how Okta handles OIDC flow, it might be necessary to apply this change in all the places where a subrequest could be made to Okta, like /_refresh location.

  2. Modifying the default configuration to accommodate a single provider's unique requirements might not be the best approach. It's crucial to ensure that these changes do not disrupt the functionality of other ID providers. It's generally a good practice to keep the default configuration as broad as possible, covering the most common use cases.

  3. It seems like a reasonable solution to adjust the configuration dynamically based on the ID provider chosen by the client. This would be a better approach than universally applying a setting tailored to a specific provider. When Okta is chosen, you could programmatically add the proxy_set_header Origin ""; line to the configuration.

In conclusion, while the PR can be considered as a possible solution, it's important to thoroughly test its implications and possibly consider more flexible solutions.
@jjngx
Copy link
Author

jjngx commented Jun 14, 2023

@route443 thank you for providing feedback! I have added a missing line (proxy_set_header Origin ""; in _refresh location) from customer's patch.

cc / @jasonwilliams14
@jjngx jjngx closed this Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@jjngx @route443