Oauth signature calculation when used with LB SSL offloading

[cyrus_mc]

My application sits behind a load balancer which does SSL offloading.

Therefore, the client application hits https://my-server.com/application which goes to the load balancer, terminates the SSL and proxies the request to the actual server http://my-server.com/application. This ends up failing the signature check because the schema has changed.

Is there a way in oauth to handle this scenario? Doing some googling I have come across a non-standard HTTP header X-Forwarded-Proto which can be set to the forwarded protocol. Is it valid to use this as the schema when calculating the signature as opposed to what is returned from getRequestURL (in the Java world)?

Thanks

[mfirry]

Hi, I'm facing the same issue.

Did you manage to fix this?

[Dave Syer]

I think you may need to inject an OAuthProviderSupport into your <provider support-ref=".."/>. There you can customize the URL calculation, either by providing a fixed baseUrl, or by implementing your own logic based on a custom header. Is that it?

[mfirry]

i'm trying to do it this way: http://bit.ly/MtPbif

but after having added my ChannelDecisionManagerPostProcessor it starts complaining that my securityContextRepository is null

ps: i'm working on sparklr2 example.

[Dave Syer]

That's a different problem (OP was about OAuth 1.0 signature calculations, yours is about OAuth2). Why not start a new thread?

[mfirry]

sorry about that