Re: [PR] fix(openidc): include request port in `redirect_uri` [apisix]

Thu, 12 Mar 2026 23:57:33 -0700 


shreemaan-abhishek commented on code in PR #13081:
URL: https://github.com/apache/apisix/pull/13081#discussion_r2929441757


##########
apisix/plugins/openid-connect.lua:
##########
@@ -622,6 +623,88 @@ local function validate_claims_in_oidcauth_response(resp, 
conf)
     return core.schema.check(conf.claim_schema, data)
 end
 
+
+local function get_forwarded_param(ctx, param_name)
+    local forwarded = ctx.var.http_forwarded
+    if not forwarded then
+        return nil
+    end
+    -- take only the first proxy entry (before any comma)
+    local first = forwarded:match("^([^,]+)")
+    if not first then
+        return nil
+    end
+    for part in first:gmatch("[^;]+") do
+        local name, value = part:match("^%s*([^=]+)%s*=%s*(.-)%s*$")
+        if name and name:lower() == param_name then
+            -- strip surrounding quotes
+            if value:sub(1, 1) == '"' then
+                value = value:sub(2, -2)
+            end
+            return value
+        end
+    end
+    return nil
+end
+
+
+-- Build an absolute redirect_uri from the incoming request.
+local function build_redirect_uri(ctx)
+    local suffix = "/.apisix/redirect"
+    local uri = ctx.var.uri
+    local redirect_path
+    if core.string.has_suffix(uri, suffix) then
+        -- This is the redirection response from the OIDC provider.
+        redirect_path = uri
+    else
+        if string.sub(uri, -1, -1) == "/" then
+            redirect_path = string.sub(uri, 1, -2) .. suffix
+        else
+            redirect_path = uri .. suffix
+        end
+    end
+
+    local scheme
+    local host
+
+    if trusted_addr.is_trusted(ctx.var.realip_remote_addr) then

Review Comment:
   I have followed the method used by lua-resty-openidc library, i.e try to 
extract from `Forward` header first, then look at xfh otherwise fallback to 
`http_host` value. You can find that here:
   
   
https://github.com/zmartzone/lua-resty-openidc/blob/fabf64e29062f5e7658de1cee52f572221203b1e/lib/resty/openidc.lua#L271-L275



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to