-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Okta | Use X-Forwarded-For
header to forward user's IP address
#2882
Conversation
X-Forwarded-For
header to forward users ip address …X-Forwarded-For
header to forward user's IP address
5af5f27
to
c58733a
Compare
export const defaultHeaders = { | ||
Accept: 'application/json', | ||
'Content-Type': 'application/json', | ||
export const defaultHeaders = (ip?: string) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the main change for the Okta API side, to convert defaultHeaders
to a function that takes the ip
const ProfileOpenIdClient = (ip?: string) => { | ||
const client = new OIDCIssuer.Client({ | ||
client_id: okta.clientId, | ||
client_secret: okta.clientSecret, | ||
redirect_uris: Object.values(ProfileOpenIdClientRedirectUris), | ||
}); | ||
|
||
// Make sure we forward the IP address to Okta by adding it to the headers in the library calls | ||
// https://github.com/panva/node-openid-client/blob/main/docs/README.md#customizing | ||
// eslint-disable-next-line functional/immutable-data | ||
client[custom.http_options] = (_, options) => { | ||
// Add the IP address to the headers | ||
const headers = options.headers || {}; | ||
if (ip) { | ||
// eslint-disable-next-line functional/immutable-data | ||
headers['X-Forwarded-For'] = ip; | ||
} | ||
|
||
return { | ||
...options, | ||
headers, | ||
}; | ||
}; | ||
|
||
return client as OpenIdClient; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and the stuff in this file too for the openid-client
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
ddc9d5c
to
5e5b2a4
Compare
What does this change?
Okta support IP address forwarding if we're running Okta behind an reverse proxy, which we are with Fastly.
https://developer.okta.com/docs/reference/core-okta-api/#ip-address
We can use the
X-Forwarded-For
header to forward the user's IP address to Okta, which should mean that events in the system log, threat detection (based on ip), and rate limiting, should be specific to the user, rather than generic Fastly IP addresses.This PR adds the IP address and forwards to Okta where possible.
We may also need to make Gateway's public IP addresses in the allowlist in the okta's network security settings as a trusted proxy to forward the user's original IP address with the
X-Forwarded-For
HTTP header: https://github.com/guardian/identity-platform/pull/761We've also added the IP address to the routing logs, so we can use this to help debug issues by IP address, and tie the request id to an IP address making debugging easier.
e.g.
{"ip":"::ffff:127.0.0.1","level":"info","message":"GET, /signin","request_id":"283433f8-d6ed-4a5d-9928-a224ba41a75c"}
Tested