Website port is not used for redirect

[Hadatko]

Describe the bug
A clear and concise description of what the bug is.

Hi, i am using custom https port and keycloack for sso. When i used standard https port 443 everything worked well. Now i moved to 8443 so my website is https://foo.bar.eu:8443

But redirect_uri is still using https://foo.bar.eu.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.
redirect_uri=https://foo.bar.eu:8443

Screenshots
If applicable, add screenshots to help explain your problem.

Configuration
Add your plugin configuration XML file here formatted as code (with three backticks surrounding the text), or as an upload to a pastebin service.

Versions (please complete the following information):

• OS: [e.g. Linux]
• Browser: [e.g. chrome, safari]
• Jellyfin Version: [e.g. 10.8 Alpha 4] 10.9.7
• Plugin Version: [e.g. 2.0.1.0 or a Git tag] 3.5.2.0

Additional context
Add any other context about the problem here. Was the plugin built from source?

jellyfin is running in docker and i am using Nginx Proxy Manager.

[Hadatko]

This issue is same for newer version

[9p4]

Is your reverse proxy sending x-forwarded-port? Please send me your reverse proxy configuration.

[Hadatko]

# ------------------------------------------------------------
# foo.bar.eu
# ------------------------------------------------------------

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "192.168.1.120";
  set $port           8096;

  listen 80;
  listen [::]:80;

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name foo.bar.eu;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-39/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-39/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # Force SSL
  include conf.d/include/force-ssl.conf;

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_http_version 1.1;

  access_log /data/logs/proxy-host-16_access.log proxy;
  error_log /data/logs/proxy-host-16_error.log warn;

  location / {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy.conf;
}

[9p4]

I also will need to see the contents of those includes.

[Elivis-AI]

Identical problem. My Jellyfin server is behind a reverse proxy (npm). npm configuration is set as default.
And 'redirect_uri' lacked port.
Additional: error exists only if jellyfin server is behind a reverse proxy. I believe the problem is in the configuration of proxy.

[Elivis-AI]

Update: add an additional item to make manual set redirect uri available in plugin should fix the bug.
I ran jellyfin and npm at the same docker network, and in nmp configuration the proxy_pass was docker alias name http://jellyfin-docker:port, while redirect uri changed to https://jellyfin-docker/sso/OID/redirect/...

Solved: manually set proxy_set_header Host <your_public_domain>:<public_port>; in nginx configuration, and everything works well.

[9p4]

Again, are any of your reverse proxies sending x-forwarded-port?

[Elivis-AI]

Yes, but I don't think it's handled correctly.
Part of my nginx configuration (works well):

    location / {
        proxy_pass      http://jellyfin-docker:8086/;
        proxy_set_header Host <my_public_domain>:<public_port>; # you will get an error with this commented

        proxy_set_header X-Forwarded-Host <my_public_domain>; 
        proxy_set_header X-Forwarded-Port  <public_port>;  # doesn't work
        proxy_set_header X-Forwarded-Proto $forward_scheme;
        proxy_set_header X-Forwarded-Scheme $forward_scheme;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $remote_addr;

        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_http_version 1.1;
    }

redirect_uri will be https://<my_public_domain>:<public_port>/sso/OID/redirect/authentik (correct).

Controlled Experiment:
Remain x-forwarded settings only.

        proxy_pass      http://jellyfin-docker:8086/;
        # proxy_set_header Host <my_public_domain>:<public_port>; # you will get an error with this commented

        proxy_set_header X-Forwarded-Host <my_public_domain>; 
        proxy_set_header X-Forwarded-Port  <public_port>;  # doesn't work
        proxy_set_header X-Forwarded-Proto $forward_scheme;
        proxy_set_header X-Forwarded-Scheme $forward_scheme;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $remote_addr;

        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_http_version 1.1;
    }

redirect_uriwill be https://jellyfin-docker:8096/sso/OID/redirect/authentik (error).

[Hadatko]

@Elivis-AI sounds good but if i set HOST manually my site is not reachable ;/

[9p4]

May be an issue somewhere around here

jellyfin-plugin-sso/SSO-Auth/Api/SSOController.cs

Line 1074 in b8e56ce

if ((requestPort == 80 && string.Equals(Request.Scheme, "http", StringComparison.OrdinalIgnoreCase)) || (requestPort == 443 && string.Equals(Request.Scheme, "https", StringComparison.OrdinalIgnoreCase)))