OIDC issuer behind a proxy cannot be accessed

app/server/lib/OIDCConfig.ts

@@ -80,6 +80,7 @@ import { StringUnionError } from 'app/common/StringUnion';
 import { EnabledProtection, EnabledProtectionString, ProtectionsManager } from './oidc/Protections';
 import { SessionObj } from './BrowserSession';
 import { getOriginUrl } from './requestUtils';
+import { proxyAgent } from './ProxyAgent';
 
 const CALLBACK_URL = '/oauth2/callback';
 
@@ -180,7 +181,9 @@ export class OIDCConfig {
     this._protectionManager = new ProtectionsManager(enabledProtections);
 
     this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
+    const agent = proxyAgent(new URL(issuerUrl));
     custom.setHttpOptionsDefaults({
+      ...(agent !== undefined ? {agent} : {}),
       ...(httpTimeout !== undefined ? {timeout: httpTimeout} : {}),
     });
     await this._initClient({ issuerUrl, clientId, clientSecret, extraMetadata });

test/server/lib/OIDCConfig.ts

@@ -10,6 +10,7 @@ import express from "express";
 import _ from "lodash";
 import {RequestWithLogin} from "app/server/lib/Authorizer";
 import { SendAppPageFunction } from "app/server/lib/sendAppPage";
+import {HttpProxyAgent} from "http-proxy-agent";
 
 const NOOPED_SEND_APP_PAGE: SendAppPageFunction = () => Promise.resolve();
 
@@ -197,7 +198,7 @@ describe('OIDCConfig', () => {
       [
         {
           itMsg: 'when omitted should not override openid-client default value',
-          expectedUserDefinedHttpOptions: {}
+          expectedUserDefinedHttpOptions: { }
         },
         {
           itMsg: 'should reject when the provided value is not a number',
@@ -241,6 +242,37 @@ describe('OIDCConfig', () => {
         });
       });
     });
+
+    describe('GRIST_HTTPS_PROXY', function () {
+      const proxyURL = 'http://localhost-proxy:8080';
+      const httpAgent = new HttpProxyAgent(proxyURL);
+      [
+          {
+            itMsg: 'when omitted should not set proxyAgent to oidc-client',
+            expectedUserDefinedHttpOptions: { }
+          },
+          {
+            itMsg: 'should add proxyAgent to openid-client',
+            env: {
+              GRIST_HTTPS_PROXY: proxyURL,
+            },
+            expectedUserDefinedHttpOptions: {
+              agent: httpAgent
+            }
+          }
+        ].forEach(ctx => {
+          it(ctx.itMsg, async () => {
+            const setHttpOptionsDefaultsStub = sandbox.stub(custom, 'setHttpOptionsDefaults');
+            setEnvVars();
+            Object.assign(process.env, ctx.env);
+            const promise = OIDCConfigStubbed.buildWithStub();
+            await assert.isFulfilled(promise, 'initOIDC should have been fulfilled');
+            assert.isTrue(setHttpOptionsDefaultsStub.calledOnce, 'Should have called custom.setHttpOptionsDefaults');
+            const actualHttpOptions = _.omit(setHttpOptionsDefaultsStub.firstCall.args[0], 'agent.callback');
+            assert.deepEqual(actualHttpOptions, ctx.expectedUserDefinedHttpOptions);
+          });
+        });
+    });
   });
 
   describe('GRIST_OIDC_IDP_ENABLED_PROTECTIONS', () => {