Hue OIDC auth redirect uri issue

Hello,

I am currently trying to integrate an OIDC authentication backend for Hue (image : 4.7.0) that interacts with our in house SSO client that provides tokens to the Hue application.

Hue is able to navigate to the oidc_op_authorization_endpoint for my configured value but i see its not taking the redirect login url which am passing. I narrowed down that it seems to be failing due to the redirect uri defaulting to localhost, the authentication api fails saying invalid uri. I defined a login_redirect_url, like the example in hue.ini as seen below.

Please kindly suggest how to override this value.

FYI : We are using official hue helm chart which comes with default nginx (we aren’t modifying any configs for nginx). However we have an ingress config for default url which is also mentioned below.

[[oidc]]
  # The client ID as relay party set in OpenID provider
  oidc_rp_client_id=hue-auth

  # The client secret as relay party set in OpenID provider
  oidc_rp_client_secret=*****tSOdhkYDlxSOqelxfpQcxQX

  # The OpenID provider authoriation endpoint
  ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
  oidc_op_authorization_endpoint=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/***/openid-connect/auth

  # The OpenID provider token endpoint
  oidc_op_token_endpoint=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/***/openid-connect/token

  # The OpenID provider user info endpoint
  oidc_op_user_endpoint=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/***/openid-connect/userinfo

  # The OpenID provider signing key in PEM or DER format
  ## oidc_rp_idp_sign_key=/path/to/key_file

  # The OpenID provider authoriation endpoint
  oidc_op_jwks_endpoint=https://flying-kraken.id3.uat.cloud.***.net/api/v1/domains/***/openid-connect/certs

  # Whether Hue as OpenID Connect client verify SSL cert
  oidc_verify_ssl=false

  # As relay party Hue URL path to redirect to after login

  login_redirect_url=https://hue-pras0004.use.eks.arch.sip.dev.cloud.***.net/oidc/callback/

  # The OpenID provider URL path to redirect to after logout
  logout_redirect_url=https://flying-kraken.id3.uat.cloud.**.net/api/v1/domains/**/openid-connect/logout

  # As relay party Hue URL path to redirect to after login
  login_redirect_url_failure=https://hue-pras0004.use.eks.arch.sip.dev.cloud.**.net/hue/oidc_failed/

  # Create a new user from OpenID Connect on login if it doesn't exist
  create_users_on_login=true

!

Screenshot 2022-12-15 at 2.15.23 PM
As seen in the above image. The redirect uri is taking the default localhost value and not taking the overridden value. I tried even setting the yarn -> proxy url but that didn’t work as well.

Thanks. I was ablw to solve this with below config changes in the ini file.

    [desktop]
       redirect_whitelist="^\/.*$,^<Your SSO redirect base url>\/.*$"

     [[auth]]
      behind_reverse_proxy=true
      reverse_proxy_header=HTTP_X_FORWARDED_FOR

    [proxy]
      # Comma-separated list of regular expressions,
      # which match 'host:port' of requested proxy target.
      whitelist=<base url>

    [[yarn_clusters]]
      [[[default]]]
      # Enter the host on which you are running the ResourceManager
      ## resourcemanager_host=localhost

      # The port where the ResourceManager IPC listens on
      ## resourcemanager_port=8032

      # URL of the ResourceManager API
      resourcemanager_api_url=<base url>

      # URL of the ProxyServer API
      proxy_api_url=<base url>