ring-oauth2 icon indicating copy to clipboard operation
ring-oauth2 copied to clipboard
verified publisher icon weavejester

Wrong provider selected with simulatenously active oauth flows?

Open gerdint opened this issue 9 months ago • 0 comments

I have two providers configured (Google and FB, config passed through aero at runtime):

{:google
 {:authorize-uri "https://accounts.google.com/o/oauth2/auth"
  :access-token-uri "https://oauth2.googleapis.com/token"
  :client-id #profile {:dev  "<<id>>"
                       :prod "<<id>>"}
  :client-secret #env GOOGLE_OAUTH2_CLIENT_SECRET
  :scopes ["openid" "profile" "email"]
  :launch-uri "/oauth/login/google"
  ;; N.B: Relative URL redirects to HTTP due to proxy forwarding
  :redirect-uri #profile {:dev "/oauth/google/callback"
                          ;; Force HTTPS
                          :prod "https://my.app/oauth/google/callback"}
  ;; Use absolute URL to load-balancer in order to get XFWD headers
  :landing-uri #profile {:dev "http://localhost:3000/oauth/done/google"
                         :prod "https://my.app/oauth/done/google"}
  :display-name "Google"}
 :facebook
 {:authorize-uri "https://www.facebook.com/v17.0/dialog/oauth"
  :access-token-uri "https://graph.facebook.com/v17.0/oauth/access_token"
  :client-id #profile {:dev "<<id>>"
                       :test "<<id>>"
                       :prod "<<id>>"}
  :client-secret #profile {:dev #env FACEBOOK_OAUTH2_APP_DEV_SECRET
                           :test #env FACEBOOK_OAUTH2_APP_DEV_SECRET
                           :prod #env FACEBOOK_OAUTH2_APP_SECRET}
  :scopes ["openid" "email"]
  :launch-uri "/oauth/login/facebook"
  :redirect-uri #profile {:dev "http://localhost:3000/oauth/facebook/callback"
                          ;; Force HTTPS
                          :prod "https://my.app//oauth/facebook/callback"}
  :landing-uri #profile {:dev "http://localhost:3000/oauth/done/facebook"
                         :prod "https://my.app//oauth/done/facebook"}
  :display-name "Facebook"}}

As long as users stick to one provider only things work fine. But when trying to authorize through (say) Facebook while still previously authorized through Google ring-oauth2 sometimes (?) seems to put the wrong provider under the request :oauth2/access-tokens key while still redirecting to the Facebook landing uri.

Am I misunderstanding how the interaction between multiple providers are supposed to work? This case seems less complicated than the ones described in issue #52, though may be a symptom of the same underlying issue? If I delete the whole session manually before starting the second authorization flow things seems to work, but I'd like to understand why.

gerdint avatar Mar 24 '25 15:03 gerdint