Adding SOCIAL_AUTH_REDIRECT_IS_HTTPS, to enable use of HTTPS protocol when redirecting after login using social auth.#13614
Conversation
… when redirecting after login.
github-actions
Bot
added
the
settings_changes
…hen using helm to docs (docs/content/en/customize_dojo/user_management/configure_sso.md).
Done. |
…hen using helm to docs (docs/content/en/customize_dojo/user_management/configure_sso.md).
valentijnscholten
left a comment
valentijnscholten
left a comment
There was a problem hiding this comment.
Sorry to hijack the PR, but I reworded the docs text to align with how we describe these in other places. Thanks for the PR and sharing this solution!
| @@ -511,7 +511,7 @@ If during the login process you get the following error: *The | |||
| in the client app settings.* and the `redirect_uri` HTTP | |||
| GET parameter starts with `http://` instead of | |||
| `https://` you need to add | |||
There was a problem hiding this comment.
the wording does not fit to the setting.
and the redirect_uri HTTP
GET parameter starts with https:// instead of
http:// you need to add (because the DD_SOCIAL_AUTH_REDIRECT_IS_HTTPS=(bool, False))
And shouldn't we make this setting always to True just because DefectDojo is a security tool?
There was a problem hiding this comment.
And shouldn't we make this setting always to True just because DefectDojo is a security tool?
No as the default is false from the lib. We want to avoid potentially breaking SSO for some folks
… when redirecting after login using social auth. (DefectDojo#13614) * Adding SOCIAL_AUTH_REDIRECT_IS_HTTPS, to enable use of HTTPS protocol when redirecting after login. * Adding description about how to setup SOCIAL_AUTH_REDIRECT_IS_HTTPS when using helm to docs (docs/content/en/customize_dojo/user_management/configure_sso.md). * Adding description about how to setup SOCIAL_AUTH_REDIRECT_IS_HTTPS when using helm to docs (docs/content/en/customize_dojo/user_management/configure_sso.md). * Apply suggestion from @valentijnscholten --------- Co-authored-by: Marcel Horner <marcel.horner@stefanini.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
6 participants
Description
When setting up DD_SECURE_SSL_REDIRECT to False and Azure auth, after login the redirect uses HTTP protocol by default. To enable DefectDojo to redirect with HTTPS protocol after login, which is required by Azure, we need to set SOCIAL_AUTH_REDIRECT_IS_HTTPS to True on Django framework.
This change adds the DD_SOCIAL_AUTH_REDIRECT_IS_HTTPS to to defectdojo\dojo\settings\settings.dist.py, making it possible to set SOCIAL_AUTH_REDIRECT_IS_HTTPS on Django framework.
Test results
I have a DefectDojo installation on a Kubernetes cluster. It was installed with helm and helm value file has DD_SECURE_SSL_REDIRECT: "False" config. After setting up auth on Azure I got an error about redirect not matching with Azure config.
After adding SOCIAL_AUTH_REDIRECT_IS_HTTPS var on defectdojo\dojo\settings\settings.dist.py and setting it to True on helm value file Azure auth proccess worked.