Roundcube Community Forum

News and Announcements => General Discussion => Topic started by: indridi on April 22, 2024, 05:57:57 AM

Title: Roundcube OAuth - insecure redirect url error.
Post by: indridi on April 22, 2024, 05:57:57 AM
Hello all,

I am setting up roundcube in a dockerized environment, and am trying to enable authentication over oauth. My setup:

So, now begins the interesting part - I set up roundcube oauth to authenticate against my authelia server, like described here : https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2 (https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2) and also here: https://github.com/authelia/authelia/discussions/7048 (https://github.com/authelia/authelia/discussions/7048).

Once i enter webmail.example.com, I am redirected to auth.example.com. I do my login-stuff, and expect to redirected back to roundcube. However, I get an error, originating from my authelia backend, saying Redirect URL is using an insecure protocol. http is only allowed for hosts with suffix "localhost ..." - this is after having added http://webmail.example.com/index.php/login/oauth in the list of  allowed redirection uris in authelia. If I use only the https variant in authelia config, the process errors out sooner, since authelia rejects the login attempt without asking for credentials if the redirect url isn't in its allowed list.

From Authelia documentation, I know that Authelia is hard-coded to reject insecure redirect uris.

So my question is : how come roundcube is asking authelia to redirect back to http://webmail.example.com, instead of https://webmail.example.com?  I see, that nowhere in the process do I provide the roundcube container with the FQDN webmail.example.com, neither with http nor https. Therefore, roundcube must be getting this from somewhere else, most certainly traefik. But what I don't understand, is why it picks up the insecure variant, whereas traefik is explicity configured to never serves that up.

From Authelia forums/issue tracker, I know there are confirmed cases where the combination authelia+roundcube works - so I strongly suspect the issue to sit on my side of the keyboard, maybe in configuring the interplay with traefik reverse proxy. I would really appreciate it, if someone could point me in the right direction.

Greetings,
Indriði.
Title: Re: Roundcube OAuth - insecure redirect url error.
Post by: indridi on April 22, 2024, 07:45:14 AM
as always, writing things up clears the mind. Started looking a bit more, found that the
Code: [Select]
get_redirect_uri calls
Code: [Select]
rcmail->url([], true, true);.
At that point, one might consider doing
Code: [Select]
rcmail->url([], true, true, true); to enforce ssl connection. But looking further, we get to
Code: [Select]
$prefix = rcube_utils::resolve_url($prefix); and then
Code: [Select]
if (self::https_check()) {
                $schema = 'https';
                $default_port = 443;
            }
and https_check has this snippet :
Code: [Select]
if ($use_https && rcube::get_instance()->config->get('use_https')) {
            return true;
        }which leads to the well-documented defaults.inc.php :
Code: [Select]
// tell PHP that it should work as under secure connection
// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
// e.g. when you're running Roundcube behind a https proxy
// this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
$config['use_https'] = false;
where I, admittedly, might have started looking in the first place. But sometimes one just has to formulate a question for someone else to organize the thoughts well enough to see the obvious.

Greetings,
Indriði