SSO Redirection - Connection Refused error

[vijiv6190]

Hi,

I have OpenIDC configuration to add SSO before redirection. It is getting successful response from SSO and while redirecting to proxy pass url I am facing below connection refused error. Can you please suggest if I am missing any configuration.

Note: No connection issue while performing proxy pass without SSO.

          OpenIDCConfig redirect_uri=<uri>;
            OpenIDCProvider file /etc/nginx/openidc_duo.json;
            OpenIDCClient string client_id=<Client_id>&client_secret=<client secret>&scope=openid%20profile&token_endpoint_auth_method=client_secret_basic ssl_verify=true;
              OpenIDCClaim sub $pfc_claim_sub;
            proxy_set_header AUTH_USER $pfc_claim_sub;

location has below proxy pass configurations
location /uri
{
proxy_pass <proxy_pass_url>;
proxy_set_header Origin "" ;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}

2023/11/09 15:16:44 [error] 242395#0: *3070 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xxx.xx, server: , request: "GET /uri/?code=484dbdbb7a144370ae3852feb4779130&state=cbbdfce20cd631a2 HTTP/1.1", upstream: "http://xxx.xxx.xxx:xxx/?code=484dbdbb7a144370ae3852feb4779130&state=cbbdfce20cd631a2", host: "xx.xx.xxx.xx"

[zandbelt]

it seems you're encountering an unintended side effect of combining proxy_pass with the redirect_uri location; you may have to configure the redirect URI to a value that is not proxied, e.g. /redirect_uri, perhaps better, leave it to the default setting /openid-connect/redirect_uri

[vijiv6190]

With default setting /openid-connect/redirect_uri , can I acheive proxy_pass? What would be the configuration for that?