redirect_uri_mismatch

[ivomarino]

hi all, we're running Samson as a Docker container behind HAProxy which also does SSL termination, the service is available as, let's say, http://deploy.dev.foo.com -- the following environment settings have been set:

        DATABASE_URL: "sqlite3://db/development.sqlite"
        DEFAULT_URL: "https://deploy.dev.foo.com"
        SECRET_TOKEN: "whatever"
        AUTH_GITHUB: "true"
        GITHUB_TOKEN: "whatever"
        GITHUB_ORGANIZATION: "foo"
        GITHUB_ADMIN_TEAM: "foo"
        GITHUB_CLIENT_ID: "whatever"
        GITHUB_SECRET: "whatever"
        # RAILS_ENV: "production"
        # RACK_ENV: "production"
        RAILS_ENV: "development"
        RACK_ENV: "development"
        FORCE_SSL: 1

after trying to log-in via GitHub we always get this error message: redirect_uri_mismatch | The redirect_uri MUST match the registered callback URL for this application. | https://developer.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/#redirect-uri-mismatch:

OAuth authentication has been set this way:

any suggestions? Thanks.

[grosser]

make sure haproxy passes on http_x_forwarded_proto so samson knows that it is actually running in https

did you try setting the authorization callback url to http ?
otherwise try to hack oauth to tell you what the actual url was ... might be a good PR for oauth anyway ... I think I ran into this error too :/

[ivomarino]

the chain is haproxy -> nginx reverse proxy -> Samson, I have to check if header infos are forwarded.

[ivomarino]

I can’t actually use HTTP cause HAProxy actually forces HTTPS (redirect), I can try to turn that off anyway if you think the issue is HTTPS.

[grosser]

setting the auth url to http might work even if it is redirected

…

On Sat, Mar 17, 2018 at 8:11 AM, Ivo Marino ***@***.***> wrote: I can’t actually use HTTP cause HAProxy actually forces HTTPS (redirect), I can try to turn that off anyway if you think the issue is HTTPS. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2654 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAsZ1giP6922saDMADzUG9VbjLAxAZKks5tfSe5gaJpZM4Su0TW> .

[ivomarino]

@grosser just tested, running everything on HTTP only works, as soon as I use https://deploy.dev.foo.com I can't login.

[ivomarino]

I've checked the vars using Apache2 and PHP:

HTTP_X_REAL_IP => 192.168.120.1 
HTTP_X_FORWARDED_FOR => xxx.xxx.xxx.xxx, 192.168.120.1 
HTTP_X_FORWARDED_PROTO => https 
HTTP_X_FORWARDED_SSL => off 
HTTP_X_FORWARDED_PORT => 80 

this is basically just another container running on the same node where samson runs so what applies to this also applies to samson. Does Samson use HTTP_X_FORWARDED_PROTO or similar? I'm accessing this stuff via https://debug.dev.foo.com.

[grosser]

hmm I think the error comes from githubs side via oauth
see omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:66

does it work when only setting the callback url to http ?

I think the issue comes from samson sending out a request like "hey call me back on http://" and then github say "nope!"

callback_url comes from omniauth-1.6.1/lib/omniauth/strategy.rb:410
so might be fixable by setting OmniAuth.config.full_host = "https://debug.dev.foo.com" in samsons config/initializers/omniauth.rb

let me know if that works ... might also be good to inspect the request env, it should be visible on that error page you saw ... check for HTTP_X_FORWARDED_PROTO

[ivomarino]

@grosser I check thats, thanks. Is there anyway for printing HTTP_X_FORWARDED_PROTO form puma, etc?

[grosser]

the error page should show all the request env if not add something like `raise request.env.inspect` to for example the ping_controller.rb

…

On Mon, Mar 19, 2018 at 11:13 AM, Ivo Marino ***@***.***> wrote: @grosser <https://github.com/grosser> I check thats, thanks. Is there anyway for printing HTTP_X_FORWARDED_PROTO form puma, etc? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2654 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAsZwh6pab7Ib3RIl6suZI9V9GwXZmTks5tf_VdgaJpZM4Su0TW> .

[ivomarino]

seems to work now, had to set auth URL to https://deploy.dev.foo.com/auth/github/callback and mount modified app/config/initializers/omniauth.rb:/app/config/initializers/omniauth.rb into the container we're I've set OmniAuth.config.full_host = "https://deploy.dev.foo.com".

[grosser]

so that confirms it's an issue with the protocol not being passed through to puma ... I'd recommend fixing the underlying issue then to get get more surprises in the future ... I guess we need some readme docs for "you should forward protocol blabla" ...

…

On Mon, Mar 19, 2018 at 11:34 AM, Ivo Marino ***@***.***> wrote: seems to work now, had to set auth URL to https://deploy.dev.foo.com/ auth/github/callback and mount modified app/config/initializers/ omniauth.rb:/app/config/initializers/omniauth.rb into the container we're I've set OmniAuth.config.full_host = "https://debug.dev.foo.com". — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2654 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAsZ8GqLG59THUQovGwJUgVX3lcicRfks5tf_o-gaJpZM4Su0TW> .

[ivomarino]

@grosser seems so, I will double check that by printing X-vars then. Thanks for help;) regarding memcached, is it required? thanks

[grosser]

please post your results here for others with that setup :) memcached is required atm will be opt-out with CACHE_STORE=memory once #2657 is merged in-memory store is just fine unless you restart samson a bunch of times :)

…

On Mon, Mar 19, 2018 at 11:48 AM, Ivo Marino ***@***.***> wrote: @grosser <https://github.com/grosser> seems so, I will double check that by printing X-vars then. Thanks for help;) regarding memcached, is it required? thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2654 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAsZ3qyDZpOWZChmqqernyz-jtoLvU2ks5tf_12gaJpZM4Su0TW> .