Oauth callback URL inserting port

[timothystewart6]

I am doing ssl termination in front of api-umbrella. I have configured oAuth with both GitHub and Google and it seems to be appending the http port to the callback:

https://api.example.com:80/admins/auth/google_oauth2/callback, does not match the ones authorized for the OAuth client.

I can access the site fine and I am passing host headers however it seems like api-umbrella is not honoring that the original request came in over https however it is http after the traffic passes my firewall.

As a test, I set the http_port: 8080 in /etc/api-umbrella/api-umbrella.yml and I get:

The redirect URI in the request, https://api.example.com:8080/admins/auth/google_oauth2/callback, does not match the ones authorized for the OAuth client.

It does this for both Google and GitHub. I am using your docker container.

[timothystewart6]

Any ideas? I am hoping to put this gateway in from of one of my APIs. I wish there were a local option, however I am fine with oauth if it would just work.

[GUI]

If you're terminating SSL with something else in front of API Umbrella, is that SSL terminator setting the X-Forwarded-Proto and X-Forwarded-Port HTTP headers? I suspect that might be the issue (I know we've successfully used AWS ELB's as SSL terminators, which sets these headers). If the SSL terminator sets X-Forwarded-Proto: https and X-Forwarded-Port: 443 for SSL connections, then I think all of the ports and oauth urls should work as expected.

But let us know if you are setting those headers and things aren't working.

(And we will have a local authentication option in the upcoming release, so hopefully that will help simplify things too.)

[timothystewart6]

Thanks for the tip. It looks like Sophos XG Firewall isn't creating these headers in their WAF product and I don't think I can. I only have the option to forward host headers and it only seem like X-Forwarded-Port isn't working (since it tries to send the callback to the correct domain, protocol, but not port).

I honestly think this is an API Umbrella issue since these ports (80/8080/etc) are set in API Umbrella and nowhere else, and not a header issue. I use nonstandard ports on the inside of my proxy/firewall/outside port for the Docker container. API Umbrella is telling Google and GitHub that the OAuth callback URL is {protocol}{host}{port}{callback}

Instead of doing SSL termination on my firewall, I will just do it on API Umbrella. Hopefully I can go back to SSL on my firewall since this is the only one-off in my entire environment. I will try to investigate some more but not sure where to look in the code.

[timothystewart6]

As a better workaround, I am still doing SSL termination on my firewall and now using the self-signed cert for the traffic between API Umbrella and the inside of my firewall. This combination allows the Google OAuth2 callback to still communicate with API Umbrella using the correct protocol, host, port, and callback path. Thanks again for the tip, that gave me a clue on how to work around what I have been experiencing. I will dig into the code when I can and see what I can find.

For reference, here is what works:
[api-umbrella-docker-container]<--self-signed-cert:443:9200-->[firewall-ssl-termination]<--public-signed-cert:9200:443-->{internet}

[timothystewart6]

Now I can proxy the calls through API Umbrella but nothing is getting logged in analytics. 😿 I think I will hold off on this product until the next release.

[GUI]

The basic issue is that without proper X-Forwarded-Proto and X-Forwarded-Port headers, API Umbrella has no way to determine the public protocol and port used. So I'd still recommend using those headers to solve this if possible, but we've added some additional configuration options in the v0.14.0 release which might allow you to workaround this issue in other ways: https://api-umbrella.readthedocs.io/en/latest/server/listen-ports.html

[RishiRajBali]

i want to call a api umbrella using java, using rest api how can i