Force https:// in discovery response and ID token's issuer

[alecpl]

I know this is more of a Laravel general setting/problem, but would it be possible to force https:// in DiscoveryController?

There are url() and route() calls that all return http://, but I need them to be https://.

All URIs MUST use https:// according to the protocol spec. So, I think it should be enforced in your code.

There's also a code in IdTokenResponse::getBuilder() that would need to return https:// for the $issuer.

BTW: URL::forceScheme('https'); does not fix issuer in IdTokeResponse, which might be a bug in itself.

[alecpl]

This issue has been fixed.

However, we found that $_SERVER['HTTP_HOST'] is not a most reliable source. The Host: header is optional in HTTP/2 and HTTP/3. Also, as far as I see Laravel nowhere in its code base uses it.

I think we should replace our use of $_SERVER['HTTP_HOST'] with something like Symfony\Component\HttpFoundation\Request::createFromGlobals()->getHost(). This component is Laravel's dependency so we should be good. Additional win is that it does not include the port.

[alecpl]

This may be even more complicated. When using Laravel Octane with Swoole $_SERVER['HTTP_HOST'] is not set. Also, the potential solution from my previous comment does not work.

[christiaangoossens]

@alecpl I agree that in all production setups HTTPS should be used, but I don't like libraries assuming your development setup does too. I would like to see an option to disable HTTPS on development, either by boolean flag, config var, checking the env etc.

If you are concerned about if users will enable it correctly on production, feel free to add a persistent warning with an explanation of the spec on every server run in development.