This is an expected behavior and to get it to work, we need to set security.oidc.calculate-return-endpoint to true, and make sure that the Host header is set properly by the reverse-proxy if there is one.
If this configuration property is set to true then the Spotfire Server will, for the purpose of OIDC authentication at least, ignore the configured public address and instead try to determine it based on the request.
Here are the instructions:
1. Export currently used
configuration from the Spotfire database.
2. To export, either login to uiconfig.bat file (uiconfig.sh on Linux) which is located in the <Installation dir>\tomcat\spotfire-bin directory OR execute CLI command
export-config 3. Open exported server configuration from given location in text or xml editor and search for <oidc> tag.
4. Add the line <calculate-return-endpoint>true</calculate-return-endpoint> tag as below:
<configuration>
...
<security>
...
<oidc>
<enabled>true</enabled>
<calculate-return-endpoint>true</calculate-return-endpoint>
<providers>
...
</providers>
</oidc>
...
</security>
...
</configuration>
5. Save the changes and import the configuration back to the database, either using uiconfig tool or use
import-config command
6. Restart the Spotfire Server
7. After successful server startup message in catalina logs, try opening the Spotfire Server url in browser