samson
samson copied to clipboard
zendesk
redirect_uri_mismatch
hi all, we're running Samson as a Docker container behind HAProxy which also does SSL termination, the service is available as, let's say, http://deploy.dev.foo.com -- the following environment settings have been set:
DATABASE_URL: "sqlite3://db/development.sqlite"
DEFAULT_URL: "https://deploy.dev.foo.com"
SECRET_TOKEN: "whatever"
AUTH_GITHUB: "true"
GITHUB_TOKEN: "whatever"
GITHUB_ORGANIZATION: "foo"
GITHUB_ADMIN_TEAM: "foo"
GITHUB_CLIENT_ID: "whatever"
GITHUB_SECRET: "whatever"
# RAILS_ENV: "production"
# RACK_ENV: "production"
RAILS_ENV: "development"
RACK_ENV: "development"
FORCE_SSL: 1
after trying to log-in via GitHub we always get this error message: redirect_uri_mismatch | The redirect_uri MUST match the registered callback URL for this application. | https://developer.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/#redirect-uri-mismatch:
OAuth authentication has been set this way:
any suggestions? Thanks.
make sure haproxy passes on http_x_forwarded_proto so samson knows that it is actually running in https
did you try setting the authorization callback url to http ? otherwise try to hack oauth to tell you what the actual url was ... might be a good PR for oauth anyway ... I think I ran into this error too :/
the chain is haproxy -> nginx reverse proxy -> Samson, I have to check if header infos are forwarded.
I can’t actually use HTTP cause HAProxy actually forces HTTPS (redirect), I can try to turn that off anyway if you think the issue is HTTPS.
setting the auth url to http might work even if it is redirected
On Sat, Mar 17, 2018 at 8:11 AM, Ivo Marino [email protected] wrote:
I can’t actually use HTTP cause HAProxy actually forces HTTPS (redirect), I can try to turn that off anyway if you think the issue is HTTPS.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-373927381, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ1giP6922saDMADzUG9VbjLAxAZKks5tfSe5gaJpZM4Su0TW .
@grosser just tested, running everything on HTTP only works, as soon as I use https://deploy.dev.foo.com I can't login.
I've checked the vars using Apache2 and PHP:
HTTP_X_REAL_IP => 192.168.120.1
HTTP_X_FORWARDED_FOR => xxx.xxx.xxx.xxx, 192.168.120.1
HTTP_X_FORWARDED_PROTO => https
HTTP_X_FORWARDED_SSL => off
HTTP_X_FORWARDED_PORT => 80
this is basically just another container running on the same node where samson runs so what applies to this also applies to samson. Does Samson use HTTP_X_FORWARDED_PROTO or similar? I'm accessing this stuff via https://debug.dev.foo.com.
hmm I think the error comes from githubs side via oauth see omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:66
does it work when only setting the callback url to http ?
I think the issue comes from samson sending out a request like "hey call me back on http://" and then github say "nope!"
callback_url comes from omniauth-1.6.1/lib/omniauth/strategy.rb:410
so might be fixable by setting OmniAuth.config.full_host = "https://debug.dev.foo.com" in samsons config/initializers/omniauth.rb
let me know if that works ... might also be good to inspect the request env, it should be visible on that error page you saw ... check for HTTP_X_FORWARDED_PROTO
@grosser I check thats, thanks. Is there anyway for printing HTTP_X_FORWARDED_PROTO form puma, etc?
the error page should show all the request env
if not add something like raise request.env.inspect to for example the
ping_controller.rb
On Mon, Mar 19, 2018 at 11:13 AM, Ivo Marino [email protected] wrote:
@grosser https://github.com/grosser I check thats, thanks. Is there anyway for printing HTTP_X_FORWARDED_PROTO form puma, etc?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-374312728, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZwh6pab7Ib3RIl6suZI9V9GwXZmTks5tf_VdgaJpZM4Su0TW .
seems to work now, had to set auth URL to https://deploy.dev.foo.com/auth/github/callback and mount modified app/config/initializers/omniauth.rb:/app/config/initializers/omniauth.rb into the container we're I've set OmniAuth.config.full_host = "https://deploy.dev.foo.com".
so that confirms it's an issue with the protocol not being passed through to puma ... I'd recommend fixing the underlying issue then to get get more surprises in the future ... I guess we need some readme docs for "you should forward protocol blabla" ...
On Mon, Mar 19, 2018 at 11:34 AM, Ivo Marino [email protected] wrote:
seems to work now, had to set auth URL to https://deploy.dev.foo.com/ auth/github/callback and mount modified app/config/initializers/ omniauth.rb:/app/config/initializers/omniauth.rb into the container we're I've set OmniAuth.config.full_host = "https://debug.dev.foo.com".
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-374319457, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ8GqLG59THUQovGwJUgVX3lcicRfks5tf_o-gaJpZM4Su0TW .
@grosser seems so, I will double check that by printing X-vars then. Thanks for help;) regarding memcached, is it required? thanks
please post your results here for others with that setup :)
memcached is required atm will be opt-out with CACHE_STORE=memory once https://github.com/zendesk/samson/pull/2657 is merged in-memory store is just fine unless you restart samson a bunch of times :)
On Mon, Mar 19, 2018 at 11:48 AM, Ivo Marino [email protected] wrote:
@grosser https://github.com/grosser seems so, I will double check that by printing X-vars then. Thanks for help;) regarding memcached, is it required? thanks
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-374323854, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ3qyDZpOWZChmqqernyz-jtoLvU2ks5tf_12gaJpZM4Su0TW .