Univention Bugzilla – Bug 48898
OpenID-Connect with external DNS
Last modified: 2019-06-21 13:56:35 CEST
Currently it seems not possible to run OpenID-Connect under an external DNS name. Even if the endpoints described in the blog article (https://www.univention.de/blog-de/2018/12/openid-connect-provider) are accessible via the external DNS name, the user will get a redirect to an url with an internal DNS name: https://{internalFQDN}/signin/v1/identifier?flow=oidc&response_type=code&client_id=noiacwrziub&redirect_uri=https%3A%2F%2Flogin.schulmanager-online.de%2Foidc%2F358%2Fcallback&scope=openid%20email%20profile%20openid&state=wkGZ58OKSwNIJKdGWWHgPpg8 Unfortunately this cannot be resolved by the users.
As far as I understand the concept of OpenID this limitation will notably reduce the usefulness of this app. Beside proof-of-concept style showcases (like the mentioned blog post) real-world scenarios may want to connect external OpenID-clients to the OpenID connect provider. This will currently only be possible if the machine running the OpenID app is *configured* with an externally resolvable hostname. At this time, the app will use the default from the "env"-file which is very hard to change afterwards: ... ARGS=--iss=https://@%@hostname@%@.@%@domainname@%@ ... ...
In my (project) experience externally reachable SAML IdPs are a pretty common scenario. From my projects that look forward to implementing OpenID in some way all are using external DNS with SAML at the moment.
The --iss parameter can now be controlled by an app setting. Tests can be done with app version 1.0 from the test app center
Ok, works.
Fixed in app version 1.0-konnect-0.23.3 (openid-connect-provider_20190521163358)