是否可以将 Micronaut OAuth2 callback-uri 设置为绝对 URL？

Question

I have a Micronaut web-app that uses OpenId / OAuth2 / JWT. In some environments, everything works really well with this set up, however, in other environments, auth fails during the step where the configured callback-uri is called. For some reason, in these environments, the URL generated is "http" instead of "https". This causes the call to fail since my application is only accessible over https.

I have no clue why it is trying to use http in the first place, however, if I was able to specify the callback-uri as an absolute / full URL, then I could probably work around this anomaly in these environments.

An example yml config that I use:

  application:
    name: xxxxx
  security:
    authentication: idtoken
    oauth2:
      enabled: true
      clients:
        azure:
          client-id: ${OAUTH_CLIENT_ID}
          client-secret: ${OAUTH_CLIENT_SECRET}
          openid:
            issuer: https://login.microsoftonline.com/xxx
      callback-uri: ${OAUTH_CALLBACK_URI}
    redirect:
      login-success: ${LOGIN_SUCCESS_URL}
      logout: '/logout-handler/logout-success'
    endpoints:
      logout:
        get-allowed: true
    token:
      jwt:
        cookie:
          cookie-same-site: none
          cookie-secure: true

In this config if I set the callback-uri environment variable (OAUTH_CALLBACK_URI) to /oauth/callback/azure, for example, then the full URL that seems to be used is http://xxxxx/oauth/callback/azure. However, if I use a full URL for the environment variable, eg https://xxxxx/oauth/callback/azure then the full URL it uses still appends that as opposed to using it as an absolute URL, ie http://xxxxx/https://xxxxx/oauth/callback/azure.

Is it possible to specify this uri as an absolute one and not have it append it like the above effectively duplicating it?

Answer 1

Good news. This was fixed in micronaut-security 2.3.4 https://github.com/micronaut-projects/micronaut-security/pull/644