[GH-ISSUE #749] OIDC Frontend JavaScript Bug: Incorrect Authorization URL Construction with Microsoft Entra ID #5119

New Issue

Closed

opened 2026-04-22 00:23:08 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-22 00:23:08 -05:00

Owner

Copy Link

Originally created by @brandonleegit on GitHub (Aug 20, 2025).
Original GitHub issue: https://github.com/moghtech/komodo/issues/749

Environment

• Komodo Version: v1.19.0
• Platform: Docker Compose
• OIDC Provider: Microsoft Entra ID
• Browser: Multiple browsers
• Operating System: Docker container installation of Komodo

Description

The OIDC login frontend is constructing incorrect authorization URLs by mixing the KOMODO_HOST with parts of the OIDC provider URL, causing authentication failures with Microsoft Entra ID.

Expected Behavior

When clicking the OIDC button, the browser should redirect to:

https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize?...

Actual Behavior

The browser redirects to this malformed URL instead:

https://[MY-KOMODO-HOST]/[TENANT-ID]/oauth2/v2.0/authorize?...

Notice how the hostname is [MY-KOMODO-HOST] (my KOMODO_HOST) instead of login.microsoftonline.com.

Configuration

OIDC Configuration (tried both approaches):

Environment Variables:

KOMODO_OIDC_ENABLED=true
KOMODO_OIDC_PROVIDER=https://login.microsoftonline.com/[TENANT-ID]/v2.0
KOMODO_OIDC_REDIRECT_HOST=https://[MY-KOMODO-HOST]
KOMODO_OIDC_CLIENT_ID=[CLIENT-ID]
KOMODO_OIDC_CLIENT_SECRET=[CLIENT-SECRET]
KOMODO_OIDC_SCOPE=openid profile email

TOML Config File:

host = "https://[MY-KOMODO-HOST]"
oidc_enabled = true
oidc_provider = "https://login.microsoftonline.com/[TENANT-ID]/v2.0"
oidc_redirect_host = "https://[MY-KOMODO-HOST]"
oidc_client_id = "[CLIENT-ID]"
oidc_client_secret = "[CLIENT-SECRET]"
oidc_scope = "openid profile email"

Backend Logs (Successful OIDC Initialization)

2025-08-20T16:27:52.957824Z  INFO core: CoreConfig { ..., oidc_enabled: true, oidc_provider: "https://login.microsoftonline.com/[TENANT-ID]/v2.0", oidc_redirect_host: "https://[MY-KOMODO-HOST]", oidc_client_id: "##############", oidc_client_secret: "##############", ... }
2025-08-20T16:27:53.493296Z  INFO core::api::auth: 🔑 OIDC Login Enabled

No backend errors - the OIDC client initializes successfully.

Steps to Reproduce

1. Configure Komodo with Microsoft Entra ID OIDC settings
2. Navigate to Komodo login page
3. Click the "OIDC" button
4. Observe the malformed URL in the browser address bar
5. Page "blinks" and stays on login page instead of redirecting to Microsoft

Additional Context

• The backend configuration is correct (no OIDC initialization errors)
• Microsoft's OIDC discovery endpoint is accessible and returns correct URLs
• The issue appears to be in the frontend JavaScript that constructs the authorization URL
• Similar issue reported in #165 with different OIDC provider
• Tested with both environment variables and TOML config - same result

Verification

I verified Microsoft's OIDC endpoint returns the correct authorization endpoint:

curl -s "https://login.microsoftonline.com/[TENANT-ID]/v2.0/.well-known/openid-configuration" | grep authorization_endpoint

# Returns: "authorization_endpoint":"https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize"

Impact

This bug prevents OIDC authentication with Microsoft Entra ID, which is a common enterprise identity provider.

Potential Root Cause

The frontend JavaScript appears to be incorrectly using the KOMODO_HOST as the base URL instead of the OIDC provider's domain when constructing the authorization URL.

Originally created by @brandonleegit on GitHub (Aug 20, 2025). Original GitHub issue: https://github.com/moghtech/komodo/issues/749 ## Environment - **Komodo Version**: v1.19.0 - **Platform**: Docker Compose - **OIDC Provider**: Microsoft Entra ID - **Browser**: Multiple browsers - **Operating System**: Docker container installation of Komodo ## Description The OIDC login frontend is constructing incorrect authorization URLs by mixing the `KOMODO_HOST` with parts of the OIDC provider URL, causing authentication failures with Microsoft Entra ID. ## Expected Behavior When clicking the OIDC button, the browser should redirect to: ``` https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize?... ``` ## Actual Behavior The browser redirects to this malformed URL instead: ``` https://[MY-KOMODO-HOST]/[TENANT-ID]/oauth2/v2.0/authorize?... ``` Notice how the hostname is `[MY-KOMODO-HOST]` (my KOMODO_HOST) instead of `login.microsoftonline.com`. ## Configuration ### OIDC Configuration (tried both approaches): **Environment Variables:** ```bash KOMODO_OIDC_ENABLED=true KOMODO_OIDC_PROVIDER=https://login.microsoftonline.com/[TENANT-ID]/v2.0 KOMODO_OIDC_REDIRECT_HOST=https://[MY-KOMODO-HOST] KOMODO_OIDC_CLIENT_ID=[CLIENT-ID] KOMODO_OIDC_CLIENT_SECRET=[CLIENT-SECRET] KOMODO_OIDC_SCOPE=openid profile email ``` **TOML Config File:** ```toml host = "https://[MY-KOMODO-HOST]" oidc_enabled = true oidc_provider = "https://login.microsoftonline.com/[TENANT-ID]/v2.0" oidc_redirect_host = "https://[MY-KOMODO-HOST]" oidc_client_id = "[CLIENT-ID]" oidc_client_secret = "[CLIENT-SECRET]" oidc_scope = "openid profile email" ``` ### Backend Logs (Successful OIDC Initialization) ``` 2025-08-20T16:27:52.957824Z INFO core: CoreConfig { ..., oidc_enabled: true, oidc_provider: "https://login.microsoftonline.com/[TENANT-ID]/v2.0", oidc_redirect_host: "https://[MY-KOMODO-HOST]", oidc_client_id: "##############", oidc_client_secret: "##############", ... } 2025-08-20T16:27:53.493296Z INFO core::api::auth: 🔑 OIDC Login Enabled ``` No backend errors - the OIDC client initializes successfully. ## Steps to Reproduce 1. Configure Komodo with Microsoft Entra ID OIDC settings 2. Navigate to Komodo login page 3. Click the "OIDC" button 4. Observe the malformed URL in the browser address bar 5. Page "blinks" and stays on login page instead of redirecting to Microsoft ## Additional Context - The backend configuration is correct (no OIDC initialization errors) - Microsoft's OIDC discovery endpoint is accessible and returns correct URLs - The issue appears to be in the frontend JavaScript that constructs the authorization URL - Similar issue reported in #165 with different OIDC provider - Tested with both environment variables and TOML config - same result ## Verification I verified Microsoft's OIDC endpoint returns the correct authorization endpoint: ```bash curl -s "https://login.microsoftonline.com/[TENANT-ID]/v2.0/.well-known/openid-configuration" | grep authorization_endpoint # Returns: "authorization_endpoint":"https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize" ``` ## Impact This bug prevents OIDC authentication with Microsoft Entra ID, which is a common enterprise identity provider. ## Potential Root Cause The frontend JavaScript appears to be incorrectly using the `KOMODO_HOST` as the base URL instead of the OIDC provider's domain when constructing the authorization URL.

GiteaMirror closed this issue 2026-04-22 00:23:09 -05:00

GiteaMirror commented 2026-04-22 00:23:10 -05:00

Author

Owner

Copy Link

@brandonleegit commented on GitHub (Aug 20, 2025):

Workaround

As a temporary workaround, I was able to use Traefik reverse proxy to redirect the malformed URLs to the correct Microsoft endpoints:

# Traefik labels for docker-compose.yml core service
labels:
  # OIDC Redirect Workaround
  "traefik.http.routers.komodo-oidc-fix.rule": "Host(`[MY-KOMODO-HOST]`) && PathPrefix(`/[TENANT-ID]/oauth2/v2.0/authorize`)"
  "traefik.http.routers.komodo-oidc-fix.entrypoints": "websecure"
  "traefik.http.routers.komodo-oidc-fix.tls.certresolver": "[CERT-RESOLVER]"
  "traefik.http.routers.komodo-oidc-fix.priority": "100"
  "traefik.http.routers.komodo-oidc-fix.middlewares": "oidc-redirect"
  
  # OIDC Redirect Middleware
  "traefik.http.middlewares.oidc-redirect.redirectregex.regex": "https://[MY-KOMODO-HOST]/[TENANT-ID]/oauth2/v2\\.0/authorize"
  "traefik.http.middlewares.oidc-redirect.redirectregex.replacement": "https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize"
  "traefik.http.middlewares.oidc-redirect.redirectregex.permanent": "false"

This workaround successfully redirects the malformed URLs to the correct Microsoft Entra ID authorization endpoint, allowing OIDC authentication to work properly.

<!-- gh-comment-id:3207368676 --> @brandonleegit commented on GitHub (Aug 20, 2025): ## Workaround As a temporary workaround, I was able to use Traefik reverse proxy to redirect the malformed URLs to the correct Microsoft endpoints: ```yaml # Traefik labels for docker-compose.yml core service labels: # OIDC Redirect Workaround "traefik.http.routers.komodo-oidc-fix.rule": "Host(`[MY-KOMODO-HOST]`) && PathPrefix(`/[TENANT-ID]/oauth2/v2.0/authorize`)" "traefik.http.routers.komodo-oidc-fix.entrypoints": "websecure" "traefik.http.routers.komodo-oidc-fix.tls.certresolver": "[CERT-RESOLVER]" "traefik.http.routers.komodo-oidc-fix.priority": "100" "traefik.http.routers.komodo-oidc-fix.middlewares": "oidc-redirect" # OIDC Redirect Middleware "traefik.http.middlewares.oidc-redirect.redirectregex.regex": "https://[MY-KOMODO-HOST]/[TENANT-ID]/oauth2/v2\\.0/authorize" "traefik.http.middlewares.oidc-redirect.redirectregex.replacement": "https://login.microsoftonline.com/[TENANT-ID]/oauth2/v2.0/authorize" "traefik.http.middlewares.oidc-redirect.redirectregex.permanent": "false" ``` This workaround successfully redirects the malformed URLs to the correct Microsoft Entra ID authorization endpoint, allowing OIDC authentication to work properly.

GiteaMirror commented 2026-04-22 00:23:10 -05:00

Author

Owner

Copy Link

@mbecker20 commented on GitHub (Aug 28, 2025):

See https://github.com/moghtech/komodo/issues/445#issuecomment-3164971889

<!-- gh-comment-id:3232118075 --> @mbecker20 commented on GitHub (Aug 28, 2025): See https://github.com/moghtech/komodo/issues/445#issuecomment-3164971889

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

2.2.0

gh-pages-docs

legacy-v1-frontend

copilot/secure-local-authentication

v0

legacy

v2.1.2

v2.1.1

v2.1.0

v2.0.0

v2.0.0-dev-124

v2.0.0-dev-123

v2.0.0-dev-120

v2.0.0-dev-118

v2.0.0-dev-114

v2.0.0-dev-112

v2.0.0-dev-111

v2.0.0-dev-102

v2.0.0-dev-98

v2.0.0-dev-90

v2.0.0-dev-86

v2.0.0-dev-72

v2.0.0-dev-59

v2.0.0-dev-53

v2.0.0-dev-50

v2.0.0-dev-36

v1.19.5

v2.0.0-dev-35

v1.19.4

v1.19.3

v1.19.2

v1.19.1

v1.19.1-dev-14

v1.19.0

v1.19.0-dev-9

v1.18.4

1.18.5-dev-5

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.5

v1.17.4

v1.17.3

v1.17.4-dev-1

v1.17.2

v1.17.2-dev-1

v1.17.1

v1.17.0

v1.17.0-dev-7

v1.17.0-dev-4

v1.17.0-dev-3

v1.17.0-dev-5

v1.17.0-dev-6

v1.17.0-dev-2

v1.17.0-dev-1

v1.16.12

v1.16.11

v1.16.10

v1.16.9

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.12

v1.15.11

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.14.0-rc1

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.3

v1.7.0

v1.6.0

v1.5.0

v1.4.0

v1.2.0

v1.1.0

v1.0.0

v0.3.4

v0.3.3

v0.3.2

v0.3.0

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.1

v0.2.0

v0.1.17

v0.1.16

v0.1.15

v0.1.11

v0.1.10

v0.1.9

Labels

Clear labels

1.19.0

1.19.1

1.19.2

1.19.3

1.19.4

2.0.0

bug

documentation

done

enhancement

help wanted

info

pull-request

Mirrored from GitHub Pull Request

question

security

seen 👀

setup

thinking 🤔

ui

v2

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/komodo#5119