Despite sending the redirect url, it doesn't work. Instead of redirecting to my domain, it redirects to the domain where WSO2 is hosted. What can be happening?
Related
My API and my frontend are hosted on render.com but at different subdomains. When I log in, my API send a cookie with SameSite=None, Secure=true and frontend domain. But Chrome refused to set the cookie and block it. How to handle this situation? What I am missing?
I'll attach an image to illustrate what I'm looking to do:
Note: The above photo should say "Redirect to HTTPS"
To preface, this is the following is the technology stack
DNS: GoDaddy
Proxy: Cloudflare
Client: React app hosted on Heroku
Server: Flask API hosted on Heroku
The flow at least to my understanding is this:
User enters in domain.com in browser and GoDaddy forwards all traffic to Cloudflare so that the site is viewed securely
Cloudflare then forwards the traffic to where the client is hosted
Once client is loaded, it makes a request to the server to receive a CSRF token. The CSRF token is generated by a method within flask-wtf. A session is created in the server and in the response, the CSRF token is attached to the header
Here things gets weird
Since the response received on the client never had the CSRF token attached to the header and no cookie was set on the browser, I would assume that the response goes to Cloudflare before the response hits the client. As a result, the CSRF token is never received. Not sure why this is the case.. But after a bit of research, I've discovered that Cloudflare does this by default.
It seems that a work around would be to use Cloudflare Workers, but that seems only available if their DNS is being used. Ideally, I would like to stick with GoDaddy.
I was wondering if anyone else experienced this and found a different solution.
I have a domain registered through Route53 (mydomain.com), and an api gateway endpoint that uses that domain (with subdomain www) to proxy traffic to my home server (running apache/nginx) at keepsecret.ddns.net. This works for simple requests like www.mydomain.com/foo/index.html. However, this setup will often result in redirects. For example, if you go to www.mydomain.com/foo/ then you'll be redirected to keepsecret.ddns.net/foo/index.html.
Is there a way to set something in the AWS console to prevent such redirects (i.e. so that the url always stays on www.mydomain.com and keeps my home IP Address hidden), or is this something I have to handle in my nginx/apache config?
I have a AWS Cloudfront hosted webpage which takes static pages from S3 and makes calls to custom origin (ALB) for dynamic data. There is OIDC authentication enabled on ALB, so calls to custom origin (my API) passes via rules set at ALB.
In a particular case when my request to custom origin is unauthenticated I am redirected to IdP for login and after successful login I get the cookie in the response header, as this request was sent to IdP from ALB - the issued cookie has domain as ALB DNS. In order for my webpage to use this cookie I have to redirect the call to Cloudfront URL. Now the cookie was issued to ALB which has a different DNS and my Cloudfront URL has a different DNS therefore I am unable to use the cookie.
I tried to catch the cookie value but because it is issued for a different domain i am unable to catch hold, also as a part of design I feel that is wrong. Has some one faced similar type of issue.
AWS ALB OIDC sets session cookie for the same request host domain for which you configure the authentication action in the listener rules.
Also, they set a http only secure cookie, meaning you cannot access it via client side Javascript at all.
Considering this along with your setup, it seems you actually need a (tiny) backend for your web page, so that you can access the response cookie when you make the API call to the mentioned custom origin internally from this backend.
I have a custom domain in google app engine. I have all ok.
But when It do the redirection, it redirect to http domain, not https domain. If change the domain manually to https, it work.
The domain is in google domain.