Request is sent to localhost instead of correct url

[chaptergy]

Describe the bug
Client sometimes sends a request to https://localhost even though the passed in URL is different (e.g. https://redacted.domain.com/auth)

To Reproduce
I have absolutely no idea how to reproduce this problem, since it sometimes happens and sometimes it doesn't while the calls are exactly identical. But once it happens it always happens.

Issuer Metadata

{
  claim_types_supported: [ 'normal' ],
  claims_parameter_supported: false,
  grant_types_supported: [
    'authorization_code',
    'implicit',
    'refresh_token',
    'password',
    'client_credentials'
  ],
  request_parameter_supported: true,
  request_uri_parameter_supported: true,
  require_request_uri_registration: false,
  response_modes_supported: [ 'query', 'fragment', 'form_post' ],
  token_endpoint_auth_methods_supported: [
    'private_key_jwt',
    'client_secret_basic',
    'client_secret_post',
    'tls_client_auth',
    'client_secret_jwt'
  ],
  issuer: 'https://redacted.domain.com/auth/realms/RedactedRealm',
  authorization_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/auth',
  token_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/token',
  token_introspection_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/token/introspect',
  userinfo_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/userinfo',
  end_session_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/logout',
  jwks_uri: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/certs',
  check_session_iframe: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/login-status-iframe.html',
  response_types_supported: [
    'code',
    'none',
    'id_token',
    'token',
    'id_token token',
    'code id_token',
    'code token',
    'code id_token token'
  ],
  subject_types_supported: [ 'public', 'pairwise' ],
  id_token_signing_alg_values_supported: [
    'PS384', 'ES384',
    'RS384', 'HS256',
    'HS512', 'ES256',
    'RS256', 'HS384',
    'ES512', 'PS256',
    'PS512', 'RS512'
  ],
  id_token_encryption_alg_values_supported: [ 'RSA-OAEP', 'RSA1_5' ],
  id_token_encryption_enc_values_supported: [ 'A128GCM', 'A128CBC-HS256' ],
  userinfo_signing_alg_values_supported: [
    'PS384', 'ES384',
    'RS384', 'HS256',
    'HS512', 'ES256',
    'RS256', 'HS384',
    'ES512', 'PS256',
    'PS512', 'RS512',
    'none'
  ],
  request_object_signing_alg_values_supported: [
    'PS384', 'ES384',
    'RS384', 'ES256',
    'RS256', 'ES512',
    'PS256', 'PS512',
    'RS512', 'none'
  ],
  registration_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/clients-registrations/openid-connect',
  token_endpoint_auth_signing_alg_values_supported: [
    'PS384', 'ES384',
    'RS384', 'ES256',
    'RS256', 'ES512',
    'PS256', 'PS512',
    'RS512'
  ],
  claims_supported: [
    'aud',
    'sub',
    'iss',
    'auth_time',
    'name',
    'given_name',
    'family_name',
    'preferred_username',
    'email',
    'acr'
  ],
  scopes_supported: [
    'openid',
    'Test_Scope_1',
    'address',
    'email',
    'offline_access',
    'phone',
    'profile',
    'role_list_oidc',
    'roles',
    'web-origins',
    'microprofile-jwt'
  ],
  code_challenge_methods_supported: [ 'plain', 'S256' ],
  tls_client_certificate_bound_access_tokens: true,
  introspection_endpoint: 'https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/token/introspect',
  introspection_endpoint_auth_methods_supported: [
    'private_key_jwt',
    'client_secret_basic',
    'client_secret_post',
    'tls_client_auth',
    'client_secret_jwt'
  ],
  introspection_endpoint_auth_signing_alg_values_supported: [
    'PS384', 'ES384',
    'RS384', 'ES256',
    'RS256', 'ES512',
    'PS256', 'PS512',
    'RS512'
  ]
}

Client Metadata

{
  grant_types: [ 'authorization_code' ],
  id_token_signed_response_alg: 'RS256',
  authorization_signed_response_alg: 'RS256',
  response_types: [ 'code' ],
  token_endpoint_auth_method: 'client_secret_basic',
  client_id: 'redacted-client-id',
  client_secret: 'redacted-client-secret',
  introspection_endpoint_auth_method: 'client_secret_basic'
}

Issuer and client are created the following way:

const conf = {...}
this.issuer = await Issuer.discover(
  `${conf.authServerUrl}/realms/${conf.realm}/.well-known/openid-configuration`
);
this.client = new this.issuer.Client({
  client_id: conf.clientId,
  client_secret: conf.clientSecret,
  response_types: ['code'],
});

The normal authentication works perfectly fine. The error just occurs sometimes when calling

await this.client.refresh(refreshToken);

Expected behaviour
The client should send a request to https://redacted.domain.com/auth/realms/RedactedRealm/protocol/openid-connect/token.

Actual behaviour
Sometimes the request is sent to https://localhost/[...], which fails because of course localhost is not SSL encrypted.

Environment:

• openid-client version: v4.2.1
• node version: v12.19.0

Additional context
Using the debugger I found the error might be happening with nodes ClientRequest within the got library. More specifically this line: https://github.com/sindresorhus/got/blob/fb5f791defdb6ddb3f01ac5142dde0538c84b864/source/core/index.ts#L2419
While url is still the correct value, and requestOptions also seem to be the correct value, the value of requestOrResponse has set the host attribute to localhost instead of the value of url.
fn is in my case equal to https.request, since options.cache is undefined, options.request is undefined and isHttps is true.

This means the protocol (https) is correctly passed through, however the rest of the url is not.

• the bug is happening on latest openid-client too.
• i have searched the issues tracker on github for similar issues and couldn't find anything related.

[panva]

#301 (comment)