OIDC logon workflow fails when attempted through application proxy with session cookies #1183
Description
Current Behavior
When you enable OIDC in Dependency Track behind an application proxy with session tracking (e.g. F5 BIG-IP APM) OIDC logons do not function properly. This is because the OIDC logon flow invokes the /.well-known/openid-configuration endpoint for the SSO IdP provider URL from the client, but does not include any cookies that the client browser currently has registered for that site.
Background:
I have a domain called example.com. I have dtrack.example.com and I have sso.example.com for Dependency Track and Keycloak respectively. When a user first logs into any application I proxy including Keycloak logons, they are required to fulfill the F5 APM policy evaluation first, which is a redirect to login.example.com/my.policy. Once the policy evaluation succeeds, the client browser is granted a domain cookie called MRHSession that is valid for all example.com access. The logon works without issue, and access to dtrack.example.com is permitted because this MRHSession cookie provided by the F5 is included in all browser requests for the domain example.com once issued. This is called domain cookie-ing. LDAP-based logons through form-based authentication continue to function with this configuration because the browser automatically includes the domain cookie when submitting the form.
Issue:
When OIDC is enabled in Dependency Track, the user gets a new logon option in the form of a button instead of the typical username+password logon form. This button, once pressed, invokes the openid-configuration endpoint from the client to the SSO IdP, which is sent without the domain cookie (MRHSession) that will allow it to bypass the F5 APM logon requirements. So the openid-configuration request gets redirected to the policy evaluation by the F5 as if it were an entirely new client session.
Proposed Behavior
OIDC logon functions correctly, because the openid-configuration endpoint request, and all subsequent requests of this nature, preserve all cookies eligible for the SSO provider URL including ones valid for a lower level domain in the hierarchy.
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this enhancement was already requested