omniauth-oauth2
omniauth-oauth2 copied to clipboard
Duplicate redirect_uri in Callback phase
Currently using Omniauth-oauth2 v1.8.0 (can't upgrade to 2.0 for IdentityServer reasons) and I've got this in my strategy:
args %i[client_id client_secret client_scope]
option :name, 'my_provider'
option :client_options, {
site: ENV.fetch('OAUTH_SERVER'),
authorize_url: '/connect/authorize',
redirect_uri: "#{ENV['APPLICATION_HOST']}/auth/my_provider/callback",
token_url: '/connect/token'
}
When I have Debugging on, I see that the redirect_uri
param is sent twice, resulinting in invalid grant errors from our Oauth server.
20:37:18 web-ssl.1 | I, [2022-08-29T20:37:18.347420 #7842] INFO -- request: {"client_id"=>"my_client_id",
20:37:18 web-ssl.1 | "client_secret"=>"SECRET",
20:37:18 web-ssl.1 | "grant_type"=>"authorization_code",
20:37:18 web-ssl.1 | "code"=>"ABC123,
20:37:18 web-ssl.1 | "redirect_uri"=>"https://myapp.lvh.me:3000/auth/my_provider/callback",
20:37:18 web-ssl.1 | :redirect_uri=>"https://myapp.lvh.me:3000/auth/my_provider/callback"}
And IdentityServer warns me:
Invalid redirect_uri{ redirectUri = https://myapp.lvh.me:3000/auth/my_provider/callback,https://myapp.lvh.me:3000/auth/my_provider/callback, expectedRedirectUri = https://myapp.lvh.me:3000/auth/my_provider/callback },
"redirect_uri": "https://myapp.lvh.me:3000/auth/my_provider/callback,https://myapp.lvh.me:3000/auth/my_provider/callback"
If I take out the client_option, I get another separate issue where the callback URL is appending ?return_url=%2F
which causes a different issue.