dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

OIDC Redirect URL can't contain fragements with Google

Open timwsuqld opened this issue 2 years ago • 6 comments

Trying to use Google OIDC and end up with a security error from Google

Error 400: invalid_request

You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.

You can let the app developer know that this app doesn't comply with one or more Google validation rules.

The validation rules are at https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation

It states that we can't have a fragment in the URL, so I think it's the /#callback part of the redirect URL that's the problem. Google would prefer something like /callback or even just /. I notice on app.netbird.io the Google login ends up with the redirect URL as https://login.netbird.io/login/callback so with auth0 in the mix it ends up with the correct redirect for Google. It would be good if we can have a "safe" redirect URL for Google directly

timwsuqld avatar Oct 11 '22 07:10 timwsuqld

Hello @timwsuqld we just merged a fix for that. You can now set AUTH_REDIRECT_URI and AUTH_SILENT_REDIRECT_URI variables in your docker-compose.yml to define the proper redirect URIs.

These variables should be set to an existing path in our dashboard, and they shouldn't be the same (oidc lib bug). e.g.:

AUTH_REDIRECT_URI=/peers
AUTH_SILENT_REDIRECT_URI=/add-peer

besides that, these URIs should be allowed in Google's configuration

mlsmaycon avatar Oct 12 '22 10:10 mlsmaycon

@mlsmaycon, I am unable to get this working in my setup. Here is a snippet from my docker-compose.

dashboard: image: wiretrustee/dashboard:main restart: unless-stopped ports: - 80:80 - 443:443 environment: - AUTH_AUDIENCE=xxxxx - AUTH_CLIENT_ID=xxxxx - AUTH_AUTHORITY=https://xxxxx - USE_AUTH0=false - AUTH_SUPPORTED_SCOPES=openid profile email offline_access api - NETBIRD_MGMT_API_ENDPOINT=https://xxxxx:33073 - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://xxxxx:33073 - NGINX_SSL_PORT=443 - LETSENCRYPT_DOMAIN=xxxxx - LETSENCRYPT_EMAIL=xxxxx - AUTH_SILENT_REDIRECT_URI=/add-peer - AUTH_REDIRECT_URI=/peers

But my OIDC server is still getting sent a request with the # included. Processing by Oauth::AuthorizationsController#new as HTML Parameters: {"redirect_uri"=>"https://xxxxx/#callback", Any ideas?

MichaelSFP avatar Oct 12 '22 13:10 MichaelSFP

@MichaelSFP did you pull the latest docker image?

mlsmaycon avatar Oct 12 '22 13:10 mlsmaycon

Ah, that was it. I thought I had already done that, but accidentally pulled the signal image rather than dashboard.

Thanks!

MichaelSFP avatar Oct 12 '22 13:10 MichaelSFP

Google OIDC is having some more issues (as discussed in Slack) AUTH_AUDIENCE needs to be the same value as AUTH_CLIENT_ID AUTH_SUPPORTED_SCOPES=openid profile email

            - AUTH_AUDIENCE=CLIENT_ID_VALUE
            - AUTH_CLIENT_ID=CLIENT_ID_VALUE
            - AUTH_AUTHORITY=https://accounts.google.com
            - AUTH_REDIRECT_URI=/peers
            - AUTH_SILENT_REDIRECT_URI=/add-peer
            - USE_AUTH0=false
            - AUTH_SUPPORTED_SCOPES=openid profile email

And then in the exchage code for token request, we need a client_secret still, (which makes it not really a secret because the SPA has access to it). https://github.com/AxaGuilDEv/react-oidc/blob/master/packages/react/src/configurations.ts#L67 shows details from react-oidc.

timwsuqld avatar Oct 12 '22 13:10 timwsuqld

@mlsmaycon have you had a chance to fix up the client_secret part for the code to token exchange part of OIDC for Google?

timwsuqld avatar Oct 17 '22 02:10 timwsuqld