Support an option to set a proxy prefix path

[efr00]

First of all, thank you for the excellent work you have done on oidc-provider.
I would like to propose a new option to resolve an issue I have encountered.
You will find all the details below, and I hope I have provided sufficient information.

Description

When the Authorization Server is deployed behind a Reverse Proxy with a path prefix.
I notice problems in the OpenID Connect journey like:

• Broken redirection
• Cookie path mismatches
• Generated URLs in discovery endpoint (/.well-known/openid-configuration) don't include this prefix

We are in a context of Microservice architecture.
We have mounted the OpenID Connect Provider on /oidc of one of the existing service which we will refer to here as “my-service”.
We use a Reverse Proxy with path-based routing to forward the request to the correct service (used for internal routing).
We use Nginx in front of this Reverse Proxy to route from internet.
Our application we will refer to here as "my-app".

Here is a diagram to illustrate:
Client -> Internet (my-app.com) -> Nginx -> Reverse Proxy -> Authorization Server (my-service)

In summary:

• The OIDC provider is accessible at: https://my-app.com/my-service/oidc
• When a client requests https://my-app.com/my-service/oidc/auth
  • Then Nginx forward the request to the Reverse Proxy
• The Reverse Proxy strips /my-service before forwarding requests to the service (to "my-service")
• The service ("my-service") mounts oidc-provider at /oidc
• Generated URLs (redirects, discovery endpoints, etc...) only include /oidc, missing the /my-service prefix
• This breaks the authorization flow

Steps to reproduce

Firstly, I update the /etc/hosts file to add the line:
127.0.0.1 my-app.com

Secondly, I wrote a test to illustrate this (without using Nginx to simplify), it is composed of two services:

• The first is the reverse proxy (available at http://my-app.com:3001)
• The second is the OIDC provider (available at http://my-app.com:3000)
  (Below you will find the source code for these two services)

Finally, you have to run the two services and using one of these URL to test and observe the issue:

• http://my-app.com:3001/my-service/oidc/.well-known/openid-configuration
• http://my-app.com:3001/my-service/oidc/auth?client_id=foo&redirect_uri=https://oidcdebugger.com/debug&scope=openid%20profile%20email&response_type=code

(I use https://oidcdebugger.com for the redirect URI because it is publicly available on the internet)

You will see that:

• The discovery endpoint cannot correctly determine the others endpoints (missing "/my-service")
• The interaction endpoint is not found (404) (missing "/my-service")
• The _interaction and _interaction_resume cookies are set on incorrect path (missing "/my-service")

Reverse proxy

Dependencies: fastify v5.6.1, @fastify/http-proxy v11.3.0

// reverse-proxy/src/index.js
import Fastify from "fastify";
import proxy from "@fastify/http-proxy";

const createServer = () => {
    const server = Fastify({
        logger: true,
    });

    // /my-service/path will be proxied to http://my-app.com:3000/path
    server.register(proxy, {
        upstream: 'http://my-app.com:3000',
        prefix: '/my-service',
        rewritePrefix: '',
        internalRewriteLocationHeader: false,
        preHandler: (request, reply, done) => {
            console.log('[proxy] preHandler url:', request.url)
            done();
        },
    });

    return server;
};

const startServer = async (server) => {
    try {
        await server.listen({ host: 'my-app.com', port: 3001 });
    } catch (err) {
        server.log.error(err);
        process.exit(1);
    }
};

startServer(createServer());

OIDC Provider

Dependencies: fastify v5.6.1, @fastify/middie v9.0.3, oidc-provider v9.5.2

// my-oidc-provider/src/index.js
import Fastify from "fastify";
import fastifyMiddie from "@fastify/middie";
import OIDCProvider from "./OIDCProvider.js";

const createServer = () => {
    const server = Fastify({
        logger: true,
        trustProxy: true,
    });

    server.addHook("onRequest", (request, reply, done) => {
        console.log("[fastify] onRequest url:", request.url);
        done();
    });

    server.register(fastifyMiddie).after(() => {
        server.use("/oidc", OIDCProvider.callback());
    });

    return server;
};

const startServer = async (server) => {
    try {
        await server.listen({ host: "my-app.com", port: 3000 });
    } catch (err) {
        server.log.error(err);
        process.exit(1);
    }
};

startServer(createServer());

// my-oidc-provider/src/OIDCProvider.js
import Provider from "oidc-provider";

const issuerUrl = "http://my-app.com:3001/my-service/oidc";

const OIDCProvider = new Provider(issuerUrl, {
    clients: [
        {
            client_id: "foo",
            client_secret: "bar",
            redirect_uris: ["https://oidcdebugger.com/debug"],
            grant_types: ["authorization_code"],
            response_types: ["code"],
            scope: "openid profile email",
        },
    ],
    cookies: {
        long: {
            domain: `my-app.com`,
        },
        short: {
            domain: `my-app.com`,
        },
    },
    interactions: {
        url(ctx, interaction) {
            return `${issuerUrl}/interaction/${interaction.uid}`;
        },
    },
    scopes: ["openid", "profile", "email"],
    claims: {
        openid: ["sub"],
        profile: ["family_name", "given_name", "locale"],
        email: ["email", "email_verified"],
    },
    pkce: {
        required: () => false,
    },
    features: {
        claimsParameter: {
            enabled: true,
        },
    },
    async findAccount(ctx, id) {
        return {
            accountId: id,
            async claims(use, scope) {
                return {
                    email: "alice.bob@dummy.com",
                    email_verified: true,
                    family_name: "Bob",
                    given_name: "Alice",
                    locale: "fr-FR",
                    sub: id,
                };
            },
        };
    },
});

OIDCProvider.proxy = true;

export default OIDCProvider;

Expected Behavior

• All endpoints in the discovery endpoint response have /my-service/oidc as a prefix
• The interaction endpoint is http://my-app.com:3001/my-service/oidc/interaction/:uid
• The _interaction cookie is set on path on path /my-service/oidc/interaction/:uid
• The _interaction_resume cookie is set on path /my-service/oidc/auth/:uid

How to resolve this

I suggest adding an option to the provider configuration (for example: proxyPathPrefix) that allows specifying the path prefix used by the Reverse Proxy.

const provider = new Provider('https://my-app.com/my-service/oidc', {
  proxyPathPrefix: '/my-service', // defaults to undefined
  // ... other configuration
});

When configured, the prefix is automatically prepended to the mountPath when generating URLs via the urlFor() method, ensuring all generated URLs correctly include the proxy path prefix.

    // oidc-provider/lib/helpers/oidc_context.js
    urlFor(name, opt) {
      const { originalUrl } = this.ctx.req;
      let mountPath = originalUrl?.substring(0, originalUrl?.indexOf(this.ctx.request.url))
        || this.ctx.mountPath // koa-mount
        || this.ctx.req.baseUrl // expressApp.use('/op', provider.callback());
        || ''; // no mount

      const proxyPathPrefix = instance(provider).configuration.proxyPathPrefix;
      if (proxyPathPrefix) {
        mountPath = `${proxyPathPrefix}${mountPath}`;
      }

      return new URL(provider.pathFor(name, { mountPath, ...opt }), this.ctx.href).href;
    }

If you want to check the behavior of this option with my test above.
You need to add the option rewriteUrl to the Fastify server where the OIDC provider is mounted:

const server = Fastify({
    logger: true,
    trustProxy: true,
    rewriteUrl(request) {
            /*
            * In order to demonstrate the problem and to simplify it
            * We don't use Nginx in front of the Fastify server.
            * So the host is incorrect because we have to specify the port in the url (for example: http://my-app.com:3001/).
            * which also requires us to rewrite the url to the correct one
            * /my-service/oidc/auth -> /oidc/auth
            * 
            * Because the path "/my-service" doesn't exist in this service.
            *
            * This is a workaround to simulate the use of Nginx.
            * In real life, we don't need this!
            *
            * Otherwise, the Nginx configuration would look something like this:
            * server {
            *     listen 127.0.0.1:80;
            *     server_name my-app.com;
            *
            *     location / {
            *         proxy_pass http://127.0.0.1:3001;
            *     }
            *
            *     location /my-service {
            *         proxy_pass http://127.0.0.1:3001;
            *   }
            * }
            */
            console.log("[fastify] rewriteUrl:", request.url);
            if (request.url?.startsWith("/my-service")) {
                console.log("[fastify] rewriteUrl after:", request.url.slice("/my-service".length));
                return request.url.slice("/my-service".length)
            }
            console.log("[fastify] rewriteUrl after:", request.url || '/');
            return request.url || '/'
        },
})

What do you think of my proposal? Is it clear and detailed?

[hodfords-minhngo-be]

Thanks @efr00, I have the same issue with reverse proxy. Could you share your solution right now?