I am fighting the dreaded

400 Bad Request Error: The ‘redirect_uri’ parameter must be a Login redirect URI in the client app settings

My Maven parent is spring-boot-starter-parent 3.3.2 and I’ve declared okta-spring-boot-starter 3.0.7 as a dependency.

My SecurityFilterChain is pretty basic. I want everything to be behind an Okta auth.

  @Bean
  SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

    http
            .csrf(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests( request -> { request
              .anyRequest().authenticated();
            });

    return http.build();

  }

I reference my Okta dev instance in application.properties by grabbing some env vars

okta.oauth2.issuer=${OKTA_OAUTH2_ISSUER}
okta.oauth2.client-id=${OKTA_OAUTH2_CLIENT_ID}
okta.oauth2.client-secret=${OKTA_OAUTH2_CLIENT_SECRET}

I’ve set my /etc/hosts to resolve host.example.com locally. I have a self-signed cert configured in nginx acting as a proxy from 443 to 8080 (hitting the embedded Tomcat when I run mvn spring-boot:run). Nginx has

        proxy_pass          http://localhost:8080;

        proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-Host   $host:$server_port;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto  https;

Without adding anything else to the application.properties I get the 400 Bad Request.

The auth request looks like this

https://dev-123.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=0oa17jj7ynbeTaYdu358&scope=profile%20email%20openid&state=tfgsC7n780VTw8TnVSRSJlqu0YsOGZ-Kvna-5wNrPuE%3D&redirect_uri=http://host.example.com/login/oauth2/code/okta&nonce=V4KLEc61ilI9MYID63a4mL-EnqWZNU2_6pVp03BFw4Q

Note that the redirect_uri starts with ‘http’ and not ‘https’

redirect_uri=http://host.example.com/login/oauth2/code/okta

The redirect URI is configured in the Okta application as

https://host.example.com/login/oauth2/code/okta

If I add this to the application.properties

okta.oauth2.redirect-uri=https://host.example.com/login/oauth2/code/okta

The auth request looks like

https://dev-123.okta.com/oauth2/default/v1/authorize?response_type=code&client_id=0oa17jj7ynbeTaYdu358&scope=profile%20email%20openid&state=3bRWZaxN3a95U3Qyo4EP-qwl6u3WCuFiYsBEmv4CVlQ%3D&redirect_uri=http://host.example.comhttps://host.example.com/login/oauth2/code/okta&nonce=WKLay4fDwIZwQdK7tuGKx1tmpZPz_V1HOLkHaXIc6Hc

Note the (2) different URLs concatenated in the redirect_uri

redirect_uri=http://host.example.comhttps://host.example.com/login/oauth2/code/okta

The second one is correct. This behaves like it really only wanted the path for okta.oauth2.redirect-uri and prepended a base URL. Unfortunately, the base URL is ‘http’ and not ‘https’.
Now, if I take that out of the application.properties and drop in

server.forward-headers-strategy=native

IT WORKS! I get a proper redirect_uri

redirect_uri=https://host.example.com/login/oauth2/code/okta

and I’m able to auth into the app.
The problem I’m having is that I can’t get this to work on the AWS EC2 instance. When I take this exact same application.properties, with the exact same nginx config, deploy the war to a full Tomcat instance, wire everything up for the real dns and SSL cert, I get the same 400 Bad Request again.
It takes me right back to the same behavior I saw when I had nothing extra in the application.properties file. I get ‘http’ instead of ‘https’.

redirect_uri=http://host.example.com/login/oauth2/code/okta

Now I am wondering if this problem is a header issue further upstream in AWS or if I might have luck trying okta.oauth2.redirect-uri again, but figure out if there’s a way to set whatever that base URL is.