Proxy Configuration

This content is for v8.x. Switch to the latest version for up-to-date documentation.

Having a TLS offloading proxy in front of Node.js running oidc-provider is the norm. To let your downstream application know of the original protocol and ip you have to tell your app to trust x-forwarded-proto and x-forwarded-for headers commonly set by those proxies (as with any express/koa application). This is needed for the authorization server responses to be correct (e.g. to have the right https URL endpoints and keeping the right (secure) protocol).

Depending on your setup you should do the following in your downstream application code

setup	example
standalone oidc-provider	`provider.proxy = true`
oidc-provider mounted to an `express` application	`provider.proxy = true`
oidc-provider mounted to a `connect` application	`provider.proxy = true`
oidc-provider mounted to a `koa` application	`yourKoaApp.proxy = true`
oidc-provider mounted to a `fastify` application	`provider.proxy = true`
oidc-provider mounted to a `hapi` application	`provider.proxy = true`
oidc-provider mounted to a `nest` application	`provider.proxy = true`

It is also necessary that the web server doing the offloading also passes those headers to the downstream application. Here is a common configuration for Nginx (assuming that the downstream application is listening on 127.0.0.1:8009). Your configuration may vary, please consult your web server documentation for details.

location / {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  proxy_pass http://127.0.0.1:8009;
  proxy_redirect off;
}