Fix #35283: allow to enforce https in OIDC redirect URI

LEDfan · LEDfan · commit 84bce5f781fb · 2025-07-02T08:57:33.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/oidc/OpenIDConfiguration.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/oidc/OpenIDConfiguration.java
@@ -55,6 +55,7 @@ public class OpenIDConfiguration {
     public static final String PROP_OPENID_JWKS_SIGNATURE_ALGORITHM = "proxy.openid.jwks-signature-algorithm";
     public static final String PROP_DEFAULT_ALGORITHM = "RS256";
     public static final String PROP_INCLUDE_DEFAULT_SCOPES = "proxy.openid.include-default-scopes";
+    public static final String PROP_ENFORCE_HTTPS_REDIRECT_URI = "proxy.openid.enforce-https-redirect-uri";
 
     @Inject
     private Environment environment;
@@ -82,7 +83,7 @@ public ClientRegistrationRepository clientRegistrationRepository() {
             .withRegistrationId(REG_ID)
             .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
             .clientName(REG_ID)
-            .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
+            .redirectUri(getOpenIdRedirectUri())
             .scope(scopes.toArray(new String[0]))
             .userNameAttributeName(environment.getProperty("proxy.openid.username-attribute", "email"))
             .authorizationUri(environment.getProperty("proxy.openid.auth-url"))
@@ -120,4 +121,11 @@ public JwtDecoderFactory<ClientRegistration> oidcIdTokenDecoderFactory() {
         return factory;
     }
 
+    private String getOpenIdRedirectUri() {
+        if (environment.getProperty(PROP_ENFORCE_HTTPS_REDIRECT_URI, Boolean.class, false)) {
+            return "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}";
+        }
+        return "{baseUrl}/login/oauth2/code/{registrationId}";
+    }
+
 }
