search

DigitalSlideArchive / digital_slide_archive

The official deployment of the Digital Slide Archive and HistomicsTK.
https://digitalslidearchive.github.io
Apache License 2.0
108 stars 49 forks source link

OAuth Providers using localhost:8080 as callback URL in a Docker Proxied Environment #315

Closed armstrongsam25 closed 7 months ago

armstrongsam25 commented 8 months ago

Hello,

I'm having trouble with the implementation of the girder-oauth plugin in DSA. I have Apache2 on a VM proxying to DSA running on localhost:8080. Below is the pertinent Apache config on the VM.

SSLProxyEngine On
ProxyPass "/" "http://localhost:8080/"
ProxyPassReverse "/" "http://localhost:8080/"

DSA loads perfect and I can log in with the default username/password. However, I want to use Microsoft OAuth to log our users in, so I modified the following files to include the girder-oauth plugin. girder.cfg.txt provision.yaml.txt

I've input our tenantID, clientID, and clientSecret in the OAuth plugin page. From what I've seen, the URL route/params used in the callback are correct, however the it uses http://localhost:8080/api/v1/oauth/microsoft/callback?code=<blah blah blah> instead of the VM url (e.g. https://the_server_url/api/v1/oauth/microsoft/callback?code=<blah blah blah>.

Is there a setting that I'm missing somewhere? I've also tried to append the following to their respective sections in girder.cfg with no luck:

[global]
tools.proxy.on = True
tools.proxy.base = "https://<the_server_url>/"
tools.proxy.local = ""

[server]
api_root = "/api/v1"
static_root = "/static"

TIA

manthey commented 8 months ago

I'm not sure how to do this in apache, but I think to solve this in nginx this would be to add 

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
armstrongsam25 commented 8 months ago

An update: I had set the callback URI in Azure to be:

I set the second callback for testing, but removing it seems to have fixed the original problem. The site's URL is being used as the callback now, which is good!

However, I hit another problem. When I log in with Microsoft, my account gets created successfully in DSA, but I cannot actually log in. It just refreshes the home page and I still see the "Log In" text in the top right. Have you run in to this issue? Any thoughts?

EDIT: it looks like this https://our_url/api/v1/user/me is returning null when logging in

mitchklusty commented 8 months ago

Hi,

I am working with Sam on this issue. I was also wondering in what file the routes for the web server are found. We were trying to debug the /user/me route and were not able to find where it is defined.

Thanks

manthey commented 7 months ago

I am working with Sam on this issue. I was also wondering in what file the routes for the web server are found. We were trying to debug the /user/me route and were not able to find where it is defined.

It is here: https://github.com/girder/girder/blob/master/girder/api/v1/user.py#L28

mitchklusty commented 7 months ago

Thank you. We found an issue in https://github.com/girder/girder/blob/master/girder/api/rest.py. The cookieAuth attribute of handler in handleRoute() is not set, causing the tokenStr in getCurrentToken() to not be set, which then causes the user to be returned as null in the /me route. I fixed this by adding the access.user(cookie=True) decorator to the getMe() function in https://github.com/girder/girder/blob/master/girder/api/v1/user.py. I have created a pull request for it.