search

gate-sso / gate

Gate is MFA Enabled SSO Platform that supports SAML, OAuth, Linux shell login and CAS
https://gate-sso.github.io
MIT License
203 stars 52 forks source link

Error: invalid_request from Google #106

Closed alucena closed 6 years ago

alucena commented 6 years ago

Hi,

We are using an Openvpn in our company and wanted to use single sign on with google and the only project I found was gate-sso. I was setting it up according the documentation of README but I am not able to make it work.

This is my .env:

GATE_OAUTH_CLIENT_ID=*******.apps.googleusercontent.com
GATE_OAUTH_CLIENT_SECRET=**********
GATE_HOSTED_DOMAIN=21buttons.com
GATE_SERVER_URL=openvpn.21b.io
GATE_CONFIG_SECRET=secret
GATE_DB_HOST=db
GATE_DB_PORT=3306
GATE_DB_USER=root
GATE_DB_PASSWORD=mysql
CACHE_HOST=redis
CACHE_PORT=6379
GATE_HOSTED_DOMAINS="21buttons.com"

When I click to "Sign In with Google" button the following error from a google page appears:

400. That’s an error.

Error: invalid_request

Invalid parameter value for redirect_uri: Missing scheme: openvpn.21b.io/users/auth/google_oauth2/callback

And the logs from server (using "make logs") seems to be ok:

web_1    | Started GET "/" for 92.211.209.30 at 2018-04-19 11:52:19 +0000
web_1    | Processing by HomeController#index as HTML
web_1    |   Rendered home/index.html.slim within layouts/home (0.6ms)
web_1    | Completed 200 OK in 454ms (Views: 449.4ms | ActiveRecord: 0.0ms)

I had to modify docker-compose.yml to create the mysql database in start up because I got an error telling me that the db didn't exist:

version: '2'
services:
  db:
    image: mysql:5.7
    environment:
      MYSQL_ROOT_PASSWORD: mysql
      MYSQL_DATABASE: gate_development
  redis:
    image: redis
  web:
    build: .
    command: rails s -p 80 -b '0.0.0.0'
    environment:
      RAILS_ENV: development
      GATE_DB_HOST: db
      GATE_DB_PORT: 3306
      GATE_DB_USER: root
      GATE_DB_PASSWORD: mysql
      CACHE_HOST: redis
      CACHE_PORT: 6379
      GATE_HOSTED_DOMAINS: "21b.io,21buttons.com"
      GATE_SAML_IDP_X509_CERTIFICATE:  "/root/server.crt"
      GATE_SAML_IDP_SECRET_KEY: "/root/server.key"
    env_file:
      - .env
    ports:
      - "80:80"
    volumes:
      - .:/app
    depends_on:
      - db
      - redis

Could it be some wrong environment variable value? I don't understand the meaning of some variables like RAILS_ENV, GATE_CONFIG_SECRET, GATE_HOSTED_DOMAINS. What are they for?

giosakti commented 6 years ago

Hi @alucena we are using Rails as our development framework. In rails commonly you have to specific either development or production for RAILS_ENV. Choosing either development or production can have different impact, especially on performance and logging. Please take a look at environment-specific configuration at config/environments directory.

for GATE_CONFIG_SECRET you can get it by typing rake secrets basically we just need a random alphanumeric character there for cookie verification.

HOSTED_DOMAINS is a comma-separated value for domains that are allowed to login via gate. For example if you want people with \@21buttons.com to be able to login via gate, you can just type HOSTED_DOMAINS=21buttons.com

giosakti commented 6 years ago

One more thing, for this specific error Invalid parameter value for redirect_uri

you have to properly configure Authorized Redirect URIs at google configuration page. so that it points to: openvpn.21b.io/users/auth/google_oauth2/callback

alucena commented 6 years ago

Thank you @giosakti Ok, I have a better understanding about these variables. I had already configured google configuration as you say.

Authorized Javascript origins: http://openvpn.21b.io Authorized Redirect URIs: http://openvpn.21b.io/users/auth/google_oauth2/callback

But I get a google error in web browser when I click "Sign In with Google" in the gate-sso home page:

400. That’s an error.

Error: invalid_request

Invalid parameter value for redirect_uri: Missing scheme: openvpn.21b.io/users/auth/google_oauth2/callback

If I write this url (openvpn.21b.io/users/auth/google_oauth2/callback) to a web browser I get the following message:

undefined method `new_session_path' for #<Users::OmniauthCallbacksController:0x63afa879> Did you mean? new_user_path

Extracted source (around line #30):
28  def after_omniauth_failure_path_for(scope)
29    new_session_path(scope)
30  end
31
32  def translation_scope
33

Rails.root: /app

Application Trace | Framework Trace | Full Trace
devise (4.4.3controllers) devise/omniauth_callbacks_controller.rb:30:in `after_omniauth_failure_path_for'
devise (4.4.3controllers) devise/omniauth_callbacks_controller.rb:12:in `failure'
actionpack (4.2.8) lib/action_controller/metal/implicit_render.rb:4:in `send_action'
(a lot of lines more here)

Not sure what I'm setting wrong 😖

CharlieEriksen commented 6 years ago

Missing scheme = not specifying http/https.

giosakti commented 6 years ago

Yes, we should provide http/https. Thanks Charlie.

This is example of my config (I allowed 2 redirects URI to be used) scr

alucena commented 6 years ago

@CharlieEriksen is what I thought at the beginning but I already specified it at google console (the screenshot is in spanish but I think it's quite understandable):

captura de pantalla 2018-04-19 a les 15 59 40

Do I have to configure the scheme somewhere else? Some env variable? Should the scheme configured in google console be https instead of http?

Thank you!

ajeygore commented 6 years ago

client auth ID and client secret should go in Gate config and http or https does not matter, but it should be redirectable, also in gate_hosted_domains you should have openvpn.21b.io if that's your google apps hosted domain.

ajeygore commented 6 years ago

Hi @alucena @CharlieEriksen I am closing this issue.

NeoTechni commented 3 years ago

"you have to properly configure Authorized Redirect URIs at google configuration page"

This page doesn't seem to exist anymore. I can't find it in the dev console