feature request: Support running behind a reverse proxy #177
Description
What problem did you meet?
Description
I would like to run the Go server with the Logto SDK behind a reverse proxy.
Currently, I am using Firebase Hosting and rewriting some paths to a Cloud Run service where my Go server is running.
- Frontend:
my-firebase-hosting.web.app(on Firebase Hosting) - Backend:
my-go-app-with-logto.run.app(on Cloud Run)
The Go server fails at the VerifyAndParseCodeFromCallbackUri step when it's running behind the reverse proxy, which means the frontend and backend have different hostnames.
During the callback process, the following error is logged:
error callback uri not match redirect uri
Steps to Reproduce
- The frontend is a Single Page Application (SPA) built with React Router.
- The backend is a Go server that implements Logto authentication (signin, callback, signout).
- The application works correctly in a local environment using Vite and its proxy.
- The issue occurs when the application is deployed to Firebase Hosting and Cloud Run.
Background
I noticed that in our React SPA using logto sdk, the access tokens are stored in localStorage.
We are building an enterprise application, and our customers have requested that we use secure, HTTP-only cookies for storing tokens to enhance security.
Describe what you'd like Logto to have
Support running behind a reverse proxy
I propose adding a configuration option to the Go SDK to support reverse proxy environments.
The SDK should have an option to trust X-Forwarded-Host and X-Forwarded-Proto headers when verifying the callback URI. This would resolve the error callback uri not match redirect uri error that occurs when the external (public) hostname differs from the internal service hostname.