Issuer, resource, and redirect URL correctness behind a proxy

Behind Fly, NGINX, a CDN, or any reverse proxy, the request the application sees is not the request the client sent: the scheme is often plain HTTP after TLS termination, and the Host header may be an internal name. OAuth and OIDC URL correctness depends on the canonical, client-visible host and scheme, not on whatever reached the application socket.

Why this matters

The issuer (iss) is minted into every token and published in the discovery documents (RFC 8414 §2). It MUST be the canonical https URL clients use. Deriving it from a live request behind a proxy can leak an internal host or an http scheme.
The DPoP htu (RFC 9449 §4.3) is the URL the client signed. If the server computes htu from a proxied request it may not match what the client signed, and valid proofs are rejected.
Redirect URIs are exact-matched (RFC 6749 §3.1.2.3). A host/scheme mismatch breaks the match.

Configure the canonical identity, not the request

AttestoPhoenix.Config:

:issuer - set this to the fixed canonical https issuer URL. The library derives the discovery issuer and the advertised endpoint URLs from it (via the :oauth_path_prefix / per-endpoint path resolvers), so it never needs to reconstruct the host from a request. This is stable behind any TLS terminator.
:trusted_proxies - the list of trusted proxy CIDRs/IPs that controls whether X-Forwarded-* headers are honored. Default [] (no forwarded trust): nothing is taken from a Forwarded / X-Forwarded-* header unless the immediate peer is in this list. Set it to your proxy's address range so forwarded scheme/host are trusted only from your proxy and never from an arbitrary client.
:require_https - keep this true (the default) in production so the endpoints enforce HTTPS.
:htu - (conn -> canonical_url_string). When the default derivation from :trusted_proxies is not enough (an unusual proxy chain, a host rewrite), override exactly how the DPoP htu is computed. Return the canonical URL the client would have signed.

Checklist

[ ] :issuer is the fixed canonical https URL (no internal host).
[ ] :trusted_proxies lists your proxy's address range, nothing wider.
[ ] :require_https is true.
[ ] Advertised endpoint paths match the mount via :oauth_path_prefix (see
```
the consumer migration guide).
```
[ ] If proofs are rejected behind the proxy, set :htu to return the
```
canonical signed URL.
```

← Previous Page Migrating to Attesto from Boruta or a custom OAuth provider

Next Page → DPoP replay and nonce stores in production