Generated redirect_url is always http and not https

[kielerrr]

When loading https://myapp.com/protected it redirects to https://auth.my-fief-instance.com/authorize?response_type=code&client_id=XXXXXXX&redirect_uri=http%3A%2F%2Fmyapp.com/%2Fauth-callback&scope=openid

The problem is the redirect_uri is redirect_uri=http%3A%2F%2Fmyapp.com instead of redirect_uri=https%3A%2F%2Fmyapp.com

I'm not sure why its generating the redirect_uri as http, but i need it to be https

Here's my FastAPI code

class CustomFiefAuth(FiefAuth):  
    client: FiefAsync

    async def get_unauthorized_response(self, request: Request, response: Response):
        redirect_uri = request.url_for("auth_callback")  
        auth_url = await self.client.auth_url(redirect_uri, scope=["openid"])  
        raise HTTPException(
            status_code=status.HTTP_307_TEMPORARY_REDIRECT,  
            headers={"Location": str(auth_url)},
        )

FIEF_BASE_URL = "https://auth.my-fief-instance.com"
FIEF_CLIENT_ID = "XXXXXXXXXXXXXX"
FIEF_CLIENT_SECRET = "XXXXXXXXXXXXXXXXXXXX"

fief = FiefAsync(  
    FIEF_BASE_URL,
    FIEF_CLIENT_ID,
    FIEF_CLIENT_SECRET,
)

SESSION_COOKIE_NAME = "user_session"
scheme = APIKeyCookie(name=SESSION_COOKIE_NAME, auto_error=False)  
auth = CustomFiefAuth(fief, scheme)  
app = FastAPI()

@app.get("/auth-callback", name="auth_callback")  
async def auth_callback(request: Request, response: Response, code: str = Query(...)):
    redirect_uri = request.url_for("auth_callback")
    print(redirect_uri)
    print(redirect_uri)
    print(redirect_uri)
    tokens, _ = await fief.auth_callback(code, redirect_uri)  

    response = RedirectResponse(request.url_for("protected"))  
    response.set_cookie(  
        SESSION_COOKIE_NAME,
        tokens["access_token"],
        max_age=tokens["expires_in"],
        httponly=False,  
        secure=True,  
    )

    return response


@app.get("/protected", name="protected")
async def protected(
    user: FiefUserInfo = Depends(auth.current_user()),  
):
    return HTMLResponse(
        f"<h1>You are authenticated. Your user email is {user['email']}</h1>"
    )

[kielerrr]

I don't know if this is the best solution, but I solved this by hardcoding a string replace of http to https in CustomFiefAuth

class CustomFiefAuth(FiefAuth):  
    client: FiefAsync

    async def get_unauthorized_response(self, request: Request, response: Response):
        redirect_uri = request.url_for("auth_callback")
        redirect_uri = str(request.url_for("auth_callback"))
        secure_redirect_uri = redirect_uri.replace("http://", "https://")
        auth_url = await self.client.auth_url(secure_redirect_uri, scope=["openid"]) 
        raise HTTPException(
            status_code=status.HTTP_307_TEMPORARY_REDIRECT,  
            headers={"Location": str(auth_url)},
        )

[frankie567]

Since you serve your instance on HTTPS, I guess Fief is served behind a reverse proxy like Nginx or Traefik. In this context, you need to tell the Fief server to trust the forwarded headers coming from your proxy. Doing so, it'll generate correct URL in HTTPS.

Usually, the fix just involves to set this environment variable: FORWARDED_ALLOW_IPS=*

You can read more about it here: https://docs.fief.dev/self-hosting/deployment/ssl/

[kielerrr]

You are correct! It is running under Traefik. I did set FORWARDED_ALLOW_IPS=* but still had the issue.
I believe it's a deeper issue with my Traefik config.