I’ve tried setting a separate frontend and backend in haproxy for Dex(port 5554) and the message then changes to:
oidc_authenticate_user: the URL hostname (ondemand000.example.org) of the configured OIDCRedirectURI does not match the URL hostname of the URL being accessed (ondemand.example.org): the “state” and “session” cookies will not be shared between the two!
We also have an OnDemand 1.7 server which works fine with haproxy but that doesn’t have Dex and the hostname is the same as the haproxy(ondemand.example.org), if that makes a difference. The HAProxy is version 1.8.
Thanks for the hint, I wasn’t able to access the page although the port was open in the firewall. I’ve had to switch to a test proxy server for now but managed to solve it so here’s what I did in case it helps anyone.
I got the openid-configuration page in the browser by adjusting haproxy.cfg but it was still giving a curl error in the httpd log when accessing the proxy base url due to the self-signed cert.
Once the certificate was fixed the following error came up again:
haproxy.example.org_error_ssl.log:
[Wed Dec 22 12:37:06.104516 2021] [auth_openidc:error] [pid 14632] [client <haproxy-ip:33596] oidc_authenticate_user: the URL hostname (ondemand000.example.org) of the configured OIDCRedirectURI does not match the URL hostname of the URL being accessed (haproxy.example.org): the "state" and "session" cookies will not be shared between the two!
To fix it I had to change /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf and adjust the OIDCRedirectURI to:
That brings up a page with the error Bad request Unregistered redirect_uri ("https://haproxy-test.example.org/oidc").
The RedirectURIs options had to be adjusted as well in /etc/ood/dex/config.yaml:
Login page comes up and the only issue remaining was logout which needed the following change in /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf:
Were these changes meant to be handled automatically with the logout_redirect variable in ood_portal.yml? I still need to switch back to the production haproxy but no issues come up.
Also here’s the haproxy frontend/backend config for reference: