Unable to authorize self hosted docker drawio with self hosted docker gitlab-ce running on same machine and network

shashanknimje commented 1 year ago

Hi, Thank you very much to the jgraph team and all the contributors for all your hard work in creating this amazing tool! :)

Apologies for the verbose post. I thought it would be helpful to have all the info in one place.

I am receiving HTTP Error 500 connection refused upon trying to authorize docker drawio 20.2.8 with docker gitlab-ce 15.3, both running on the same VM using the same docker network.
When I try to access https://drawio.domain.com/gitlab url directly, I get HTTP Error 400.
Both the docker containers, i.e, drawio and gitlab-ce have ssl certs issued by Let's Encrypt. And both of these certs have been added to the keystore inside docker drawio container inside the bundle.pfx keystore file inside the tomcat folder.
server.xml has been modified to allow communication over port 80 and 443 instead of 8080 and 8443.
Also, the same docker container is able to authenticate / authorize successfully with google drive, but not self hosted docker gitlab-ce.
The callback url configured on the docker gitlab-ce self hosted instance is set to https://drawio.domain.com/gitlab
Although both the docker containers, drawio and gitlab-ce are on the same VM, NAT and Firewall / Network security settings have also been configured so these instances can communicate with each other over the internet.

Any help in resolving this issue would be super appreciated. Thank you!

Screenshot from 2022-09-22 14-10-11

docker-compose.yml

version: "3.7"

 services:
     drawio:
         image: "jgraph/drawio:20.2.8"
         restart: "always"
         container_name: "drawio"
         environment:
           DRAWIO_BASE_URL: https://drawio.domain.com
           DRAWIO_GITLAB_URL: https://gitlab.domain.com
           DRAWIO_GITLAB_ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
           DRAWIO_GITLAB_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
           DRAWIO_GOOGLE_CLIENT_ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
           DRAWIO_GOOGLE_CLIENT_SECRET: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
           DRAWIO_GOOGLE_APP_ID: xxxxxxxxxx
           VIRTUAL_HOST: drawio.domain.com, www.drawio.domain.com
           LETSENCRYPT_HOST: drawio.domain.com, www.drawio.domain.com
           LETSENCRYPT_EMAIL: user@domain.com
        expose:
           - "80"
           - "443"
        networks:
             - "nginx-proxy-net"
        volumes:
           - "./server.xml:/usr/local/tomcat/conf/server.xml:ro"
           - "./certs/drawio.domain.com.crt.pem:/usr/local/tomcat/conf/localhost-rsa-cert.pem:ro"
           - "./certs/drawio.domain.com.key.pem:/usr/local/tomcat/conf/localhost-rsa-key.pem:ro"
           - "./certs/drawio.domain.com.fullchain.pem:/usr/local/tomcat/conf/localhost-rsa-chain.pem:ro"
           - "./certs/bundle.pfx:/usr/local/tomcat/bundle.pfx:rw"
           - "./certs/gitlab.domain.com.crt.pem:/usr/local/tomcat/conf/gitlab.domain.com.crt.pem:ro"
 networks:
     nginx-proxy-net:
         external: true

server.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server
    port="8005"
    shutdown="SHUTDOWN"
  >
  <Listener
      className="org.apache.catalina.startup.VersionLoggerListener"
  />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!-- APR library loader. Documentation at /docs/apr.html -->
  <Listener
      className="org.apache.catalina.core.AprLifecycleListener"
      SSLEngine="on"
  />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener
      className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
  />
  <Listener
      className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
  />
  <Listener
      className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
  />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources
    >
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource
        name="UserDatabase"
        auth="Container"
        type="org.apache.catalina.UserDatabase"
        description="User database that can be updated and saved"
        factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
        pathname="conf/tomcat-users.xml"
    />
  </GlobalNamingResources
  >

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service
      name="Catalina"
    >

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 80
    -->
    <Connector
        port="80"
        protocol="HTTP/1.1"
        connectionTimeout="20000"
        redirectPort="443"
    />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
    -->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 443
         This connector uses the NIO implementation. The default
         SSLImplementation will depend on the presence of the APR/native
         library and the useOpenSSL attribute of the AprLifecycleListener.
         Either JSSE or OpenSSL style configuration may be used regardless of
         the SSLImplementation selected. JSSE style configuration is used below.
    -->

<!--
    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

-->
    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 443 with HTTP/2
         This connector uses the APR/native implementation which always uses
         OpenSSL for TLS.
         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
         configuration is used below.
    -->
    <!--
    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="443" />
    -->

    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine
        name="Catalina"
        defaultHost="localhost"
      >

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm
          className="org.apache.catalina.realm.LockOutRealm"
        >
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm
            className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase"
        />
      </Realm
      >

      <Host
          name="localhost"
          appBase="webapps"
          unpackWARs="true"
          autoDeploy="true"
        >

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Context
            path="/"
            docBase="draw"
          ><WatchedResource
            >WEB-INF/web.xml</WatchedResource
          ></Context
        ><Valve
            className="org.apache.catalina.valves.AccessLogValve"
            directory="logs"
            prefix="localhost_access_log"
            suffix=".txt"
            pattern="%h %l %u %t &quot;%r&quot; %s %b"
        />

      </Host
      >
    </Engine
    >
  <Connector
        port="443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        SSLEnabled="true"
        maxThreads="150"
        scheme="https"
        secure="true"
        clientAuth="false"
        sslProtocol="TLS"
        KeystoreFile="/usr/local/tomcat/bundle.pfx"
        KeystorePass="xxxxxxxxxxxxxxxxxx"
        defaultSSLHostConfigName="drawio.domain.com"
      ><SSLHostConfig
          hostName="drawio.domain.com"
          protocols="TLSv1.2"
        ><Certificate
            certificateKeystoreFile="/usr/local/tomcat/bundle.pfx"
            certificateKeystorePassword="xxxxxxxxxxxxxxxxxx"
        /></SSLHostConfig
      ></Connector
    ></Service
  >
</Server
>

docker-compose up output

❯ docker-compose up
[+] Running 1/1
 ⠿ Container drawio  Created                                                                                                                                                    0.1s
Attaching to drawio
drawio  | Init PreConfig.js
drawio  | (function() {
drawio  |   try {
drawio  |       var s = document.createElement('meta');
drawio  |       s.setAttribute('content', 'default-src \'self\'; script-src \'self\' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src \'self\' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src \'self\' https://*.google.com;');
drawio  |       s.setAttribute('http-equiv', 'Content-Security-Policy');
drawio  |       var t = document.getElementsByTagName('meta')[0];
drawio  |       t.parentNode.insertBefore(s, t);
drawio  |   } catch (e) {} // ignore
drawio  | })();
drawio  | window.DRAWIO_BASE_URL = 'https://drawio.domain.com';
drawio  | window.DRAWIO_VIEWER_URL = '';
drawio  | window.DRAWIO_LIGHTBOX_URL = '';
drawio  | window.DRAW_MATH_URL = 'math';
drawio  | window.DRAWIO_CONFIG = null;
drawio  | urlParams['sync'] = 'manual'; //Disable Real-Time
drawio  | urlParams['db'] = '0'; //dropbox
drawio  | urlParams['gh'] = '0'; //github
drawio  | urlParams['tr'] = '0'; //trello
drawio  | window.DRAWIO_GOOGLE_APP_ID = 'xxxxxxxxxxx';
drawio  | window.DRAWIO_GOOGLE_CLIENT_ID = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
drawio  | urlParams['od'] = '0'; //OneDrive
drawio  | window.DRAWIO_GITLAB_URL = 'https://gitlab.domain.com';
drawio  | window.DRAWIO_GITLAB_ID = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';
drawio  | Init PostConfig.js
drawio  | window.VSD_CONVERT_URL = null;
drawio  | window.ICONSEARCH_PATH = null;
drawio  | EditorUi.enableLogging = false; //Disable logging
drawio  | window.EMF_CONVERT_URL = null;
drawio  | App.prototype.isDriveDomain = function() { return true; }
drawio  | Generating Self-Signed certificate
drawio  | Keystore type: PKCS12
drawio  | Keystore provider: SUN
drawio  |
drawio  | Your keystore contains 1 entry
drawio  |
drawio  | Alias name: selfsigned
drawio  | Creation date: Sep 22, 2022
drawio  | Entry type: PrivateKeyEntry
drawio  | Certificate chain length: 1
drawio  | Certificate[1]:
drawio  | Owner: CN=draw.example.com, OU=Cloud Native Application, O=example inc, L=Paris, ST=Paris, C=FR
drawio  | Issuer: CN=draw.example.com, OU=Cloud Native Application, O=example inc, L=Paris, ST=Paris, C=FR
drawio  | Serial number: xxxxxxxxxxx
drawio  | Valid from: xxxxxxxxxxxxxxx until: xxxxxxxxxxxxxxxxxxx
drawio  | Certificate fingerprints:
drawio  |    SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
drawio  |    SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
drawio  | Signature algorithm name: SHA256withRSA
drawio  | Subject Public Key Algorithm: 2048-bit RSA key
drawio  | Version: 3
drawio  |
drawio  | Extensions:
drawio  |
drawio  | #1: ObjectId: xxxxxxxxxxxx Criticality=false
drawio  | SubjectKeyIdentifier [
drawio  | KeyIdentifier [
drawio  | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
drawio  | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
drawio  | ]
drawio  | ]
drawio  |
drawio  |
drawio  |
drawio  | *******************************************
drawio  | *******************************************
drawio  |
drawio  |
drawio  | Append https connector to server.xml
drawio  | Read-only file system: conf/server.xml
drawio  | Read-only file system: conf/server.xml
drawio  | NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
drawio  | 22-Sep-2022 07:48:51.395 WARNING [main] org.apache.catalina.core.StandardContext.setPath A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []
drawio  | 22-Sep-2022 07:48:51.453 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.64
drawio  | 22-Sep-2022 07:48:51.453 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Jun 2 2022 19:08:46 UTC
drawio  | 22-Sep-2022 07:48:51.453 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.64.0
drawio  | 22-Sep-2022 07:48:51.454 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
drawio  | 22-Sep-2022 07:48:51.454 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.15.0-1020-aws
drawio  | 22-Sep-2022 07:48:51.454 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
drawio  | 22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
drawio  | 22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.15+10
drawio  | 22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
drawio  | 22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
drawio  | 22-Sep-2022 07:48:51.456 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
drawio  | 22-Sep-2022 07:48:51.461 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
drawio  | 22-Sep-2022 07:48:51.461 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
drawio  | 22-Sep-2022 07:48:51.461 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
drawio  | 22-Sep-2022 07:48:51.462 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
drawio  | 22-Sep-2022 07:48:51.462 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
drawio  | 22-Sep-2022 07:48:51.462 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
drawio  | 22-Sep-2022 07:48:51.463 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
drawio  | 22-Sep-2022 07:48:51.463 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
drawio  | 22-Sep-2022 07:48:51.463 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
drawio  | 22-Sep-2022 07:48:51.464 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
drawio  | 22-Sep-2022 07:48:51.464 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
drawio  | 22-Sep-2022 07:48:51.464 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
drawio  | 22-Sep-2022 07:48:51.465 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
drawio  | 22-Sep-2022 07:48:51.465 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
drawio  | 22-Sep-2022 07:48:51.474 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.33] using APR version [1.7.0].
drawio  | 22-Sep-2022 07:48:51.474 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
drawio  | 22-Sep-2022 07:48:51.475 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
drawio  | 22-Sep-2022 07:48:51.482 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.2 15 Mar 2022]
drawio  | 22-Sep-2022 07:48:52.197 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-80"]
drawio  | 22-Sep-2022 07:48:52.355 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-443"]
drawio  | 22-Sep-2022 07:48:52.997 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [2140] milliseconds
drawio  | 22-Sep-2022 07:48:53.103 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
drawio  | 22-Sep-2022 07:48:53.103 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.64]
drawio  | 22-Sep-2022 07:48:54.591 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
drawio  | 22-Sep-2022 07:48:54.628 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/draw]
drawio  | 22-Sep-2022 07:48:54.965 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
drawio  | 22-Sep-2022 07:48:54.970 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/draw] has finished in [341] ms
drawio  | 22-Sep-2022 07:48:54.980 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-80"]
drawio  | 22-Sep-2022 07:48:55.004 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-443"]
drawio  | 22-Sep-2022 07:48:55.013 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2015] milliseconds
drawio  | SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
drawio  | SLF4J: Defaulting to no-operation (NOP) logger implementation
drawio  | SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
drawio  | java.net.ConnectException: Connection refused (Connection refused)
drawio  |   at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
drawio  |   at java.base/java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
drawio  |   at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
drawio  |   at java.base/java.net.AbstractPlainSocketImpl.connect(Unknown Source)
drawio  |   at java.base/java.net.SocksSocketImpl.connect(Unknown Source)
drawio  |   at java.base/java.net.Socket.connect(Unknown Source)
drawio  |   at java.base/sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
drawio  |   at java.base/sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source)
drawio  |   at java.base/sun.net.NetworkClient.doConnect(Unknown Source)
drawio  |   at java.base/sun.net.www.http.HttpClient.openServer(Unknown Source)
drawio  |   at java.base/sun.net.www.http.HttpClient.openServer(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.HttpsClient.New(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
drawio  |   at com.mxgraph.online.AbsAuthServlet.contactOAuthServer(Unknown Source)
drawio  |   at com.mxgraph.online.AbsAuthServlet.doGet(Unknown Source)
drawio  |   at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
drawio  |   at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
drawio  |   at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
drawio  |   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
drawio  |   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
drawio  |   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
drawio  |   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
drawio  |   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
drawio  |   at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
drawio  |   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
drawio  |   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
drawio  |   at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
drawio  |   at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
drawio  |   at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
drawio  |   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1787)
drawio  |   at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
drawio  |   at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
drawio  |   at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
drawio  |   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
drawio  |   at java.base/java.lang.Thread.run(Unknown Source)
drawio  | 22-Sep-2022 07:49:13.347 SEVERE [http-nio-80-exec-10] com.mxgraph.online.AbsAuthServlet.contactOAuthServer AUTH-SERVLET: [https://gitlab.domain.com/oauth/token] ERROR: Connection refused (Connection refused) ->
drawio  | java.net.ConnectException: Connection refused (Connection refused)
drawio  |   at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
drawio  |   at java.base/java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
drawio  |   at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
drawio  |   at java.base/java.net.AbstractPlainSocketImpl.connect(Unknown Source)
drawio  |   at java.base/java.net.SocksSocketImpl.connect(Unknown Source)
drawio  |   at java.base/java.net.Socket.connect(Unknown Source)
drawio  |   at java.base/sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
drawio  |   at java.base/sun.security.ssl.BaseSSLSocketImpl.connect(Unknown Source)
drawio  |   at java.base/sun.net.NetworkClient.doConnect(Unknown Source)
drawio  |   at java.base/sun.net.www.http.HttpClient.openServer(Unknown Source)
drawio  |   at java.base/sun.net.www.http.HttpClient.openServer(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.HttpsClient.New(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
drawio  |   at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
drawio  |   at com.mxgraph.online.AbsAuthServlet.contactOAuthServer(Unknown Source)
drawio  |   at com.mxgraph.online.AbsAuthServlet.doGet(Unknown Source)
drawio  |   at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
drawio  |   at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
drawio  |   at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
drawio  |   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
drawio  |   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
drawio  |   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
drawio  |   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
drawio  |   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
drawio  |   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
drawio  |   at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
drawio  |   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
drawio  |   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
drawio  |   at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
drawio  |   at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
drawio  |   at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
drawio  |   at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1787)
drawio  |   at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
drawio  |   at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
drawio  |   at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
drawio  |   at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
drawio  |   at java.base/java.lang.Thread.run(Unknown Source)
drawio  | 22-Sep-2022 07:51:20.337 SEVERE [http-nio-80-exec-8] com.mxgraph.online.AbsAuthServlet.contactOAuthServer AUTH-SERVLET: [https://gitlab.domain.com/oauth/token] ERROR: Connection refused (Connection refused) ->

catalina.log

cat ./catalina.2022-09-22.log
22-Sep-2022 07:48:51.395 WARNING [main] org.apache.catalina.core.StandardContext.setPath A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []
22-Sep-2022 07:48:51.453 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.64
22-Sep-2022 07:48:51.453 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Jun 2 2022 19:08:46 UTC
22-Sep-2022 07:48:51.453 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.64.0
22-Sep-2022 07:48:51.454 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
22-Sep-2022 07:48:51.454 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            5.15.0-1020-aws
22-Sep-2022 07:48:51.454 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.15+10
22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
22-Sep-2022 07:48:51.455 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
22-Sep-2022 07:48:51.456 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
22-Sep-2022 07:48:51.461 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
22-Sep-2022 07:48:51.461 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
22-Sep-2022 07:48:51.461 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
22-Sep-2022 07:48:51.462 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
22-Sep-2022 07:48:51.462 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
22-Sep-2022 07:48:51.462 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
22-Sep-2022 07:48:51.463 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
22-Sep-2022 07:48:51.463 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
22-Sep-2022 07:48:51.463 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
22-Sep-2022 07:48:51.464 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
22-Sep-2022 07:48:51.464 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
22-Sep-2022 07:48:51.464 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
22-Sep-2022 07:48:51.465 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
22-Sep-2022 07:48:51.465 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
22-Sep-2022 07:48:51.474 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.33] using APR version [1.7.0].
22-Sep-2022 07:48:51.474 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
22-Sep-2022 07:48:51.475 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
22-Sep-2022 07:48:51.482 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.2 15 Mar 2022]
22-Sep-2022 07:48:52.197 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-80"]
22-Sep-2022 07:48:52.355 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-443"]
22-Sep-2022 07:48:52.997 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [2140] milliseconds
22-Sep-2022 07:48:53.103 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
22-Sep-2022 07:48:53.103 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.64]
22-Sep-2022 07:48:54.591 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
22-Sep-2022 07:48:54.628 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/draw]
22-Sep-2022 07:48:54.965 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
22-Sep-2022 07:48:54.970 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/draw] has finished in [341] ms
22-Sep-2022 07:48:54.980 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-80"]
22-Sep-2022 07:48:55.004 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-443"]
22-Sep-2022 07:48:55.013 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [2015] milliseconds
22-Sep-2022 07:49:13.347 SEVERE [http-nio-80-exec-10] com.mxgraph.online.AbsAuthServlet.contactOAuthServer AUTH-SERVLET: [https://gitlab.domain.com/oauth/token] ERROR: Connection refused (Connection refused) ->
22-Sep-2022 07:51:20.337 SEVERE [http-nio-80-exec-8] com.mxgraph.online.AbsAuthServlet.contactOAuthServer AUTH-SERVLET: [https://gitlab.domain.com/oauth/token] ERROR: Connection refused (Connection refused) ->

localhost_access_log

cat ./localhost_access_log.2022-09-22.txt
172.18.0.5 - - [22/Sep/2022:07:48:58 +0000] "GET / HTTP/1.1" 200 13415
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /js/PreConfig.js HTTP/1.1" 200 1651
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /js/app.min.js HTTP/1.1" 200 7742636
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /js/PostConfig.js HTTP/1.1" 200 201
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /js/shapes-14-6-5.min.js HTTP/1.1" 200 1304315
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /math/startup.js HTTP/1.1" 404 770
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /js/extensions.min.js HTTP/1.1" 200 2682974
172.18.0.5 - - [22/Sep/2022:07:49:01 +0000] "GET /js/stencils.min.js HTTP/1.1" 200 6314790
172.18.0.5 - - [22/Sep/2022:07:49:11 +0000] "GET /gitlab?getState=1 HTTP/1.1" 200 62
172.18.0.5 - - [22/Sep/2022:07:49:13 +0000] "GET /gitlab?code=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&state=cId%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26domain%3Ddrawio.domain.com%26token%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1" 500 -
172.18.0.5 - - [22/Sep/2022:07:49:25 +0000] "GET /gitlab HTTP/1.1" 400 -
172.18.0.5 - - [22/Sep/2022:07:50:50 +0000] "GET /js/PreConfig.js HTTP/1.1" 304 -
172.18.0.5 - - [22/Sep/2022:07:50:51 +0000] "GET /js/PostConfig.js HTTP/1.1" 304 -
172.18.0.5 - - [22/Sep/2022:07:50:51 +0000] "GET /math/startup.js HTTP/1.1" 404 770
172.18.0.5 - - [22/Sep/2022:07:51:17 +0000] "GET /gitlab?getState=1 HTTP/1.1" 200 63
172.18.0.5 - - [22/Sep/2022:07:51:20 +0000] "GET /gitlab?code=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&state=cId%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26domain%3Ddrawio.domain.com%26token%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1" 500 -

pitastrudl commented 1 year ago

You are saying it's on the same machine, is the exposure of drawios 80 and 443 port conflicting with gitlabs http/https ports? Is there an nginx sitting in front of these services?

shashanknimje commented 1 year ago

Hi @pitastrudl, thank you for getting back to me. There’s a nginx proxy (docker container) forwarding the requests on 80 and 443 to the rest of the containers. In fact, the drawio docker container is able to authenticate with google drive with the help of the nginx prroxy docker container.

wolkenschieber commented 5 months ago

I was having the same issue, but hours of googling did the trick.

GitLab on http://edoras/gitlab is configured for the Draw.io application:

Draw.io is running on http://angband:8080/

services:
  drawio:
    image: jgraph/drawio
    container_name: drawio
    restart: unless-stopped
    ports:
      - 8080:8080
    environment:
      - DRAWIO_SERVER_URL=http://angband:8080/
      - DRAWIO_GITLAB_URL=http://edoras/gitlab
      - DRAWIO_GITLAB_ID=id-from-screenshot
      - DRAWIO_GITLAB_SECRET=secret
      - LETS_ENCRYPT_ENABLED=false

This allowed me to authorize to GitLab: http://edoras/gitlab/oauth/authorize returned status code 200, but Draw.io didn't accept the grant:

drawio  | SEVERE [http-nio-8080-exec-3] com.mxgraph.online.AbsAuth.contactOAuthServer AUTH-SERVLET: [http://edoras/gitlab/oauth/token] ERROR: Server returned HTTP response code: 400 for URL: http://edoras/gitlab/oauth/token -> {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
drawio  | java.io.IOException: Server returned HTTP response code: 400 for URL: http://edoras/gitlab/oauth/token
drawio  |       at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
drawio  |       at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
drawio  |       at com.mxgraph.online.AbsAuth.contactOAuthServer(Unknown Source)
drawio  |       at com.mxgraph.online.AbsAuth.doGetAbst(Unknown Source)
drawio  |       at com.mxgraph.online.GitlabAuthServlet.doGet(Unknown Source)

Issue #91, respective issuecomment-1550527468, pointed to DRAWIO_USE_HTTP=1, which accepted the grant, but was blocked by CORS:

Refused to connect to 'http://edoras/gitlab/api/v4/user' because it violates the following Content Security Policy directive: "connect-src 'self' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com".

Issue #108, respective issuecomment-1483316381, pointed out to add the GitLab-Host to DRAWIO_CSP_HEADER.

So working for me is this compose file:

services:
  drawio:
    image: jgraph/drawio
    container_name: drawio
    restart: unless-stopped
    ports:
      - 8080:8080
    environment:
      - DRAWIO_SERVER_URL=http://angband:8080/
      - DRAWIO_GITLAB_URL=http://edoras/gitlab
      - DRAWIO_GITLAB_ID=id-from-screenshot
      - DRAWIO_GITLAB_SECRET=secret
      - DRAWIO_CSP_HEADER=default-src \'self\'; script-src \'self\' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com \'unsafe-inline\'; connect-src \'self\' http://edoras https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\' https://fonts.googleapis.com; frame-src \'self\' https://*.google.com;
      - DRAWIO_USE_HTTP=1
      - LETS_ENCRYPT_ENABLED=false

jgraph / docker-drawio

Unable to authorize self hosted docker drawio with self hosted docker gitlab-ce running on same machine and network #93