redirect_uri in redirects' targetUrl not returning https

[tacman]

After too many hours of hacking, I discovered that the redirect that comes back is sometimes using http, not https.

Curiously, for me it's happening on production, but not locally.

Here's my solution, but surely there's a better way.

        $client = $this->clientRegistry->getClient($clientKey); // key used in config/packages/knpu_oauth2_client.yaml
        $redirect = $client->redirect($scopes[$clientKey] ?? [], ['state' => $client->getOAuth2Provider()->getState()]);
        // assert(str_starts_with('https://', $redirect->getTargetUrl());
        $redirect->setTargetUrl(str_replace('http%3A', 'https%3A', $redirect->getTargetUrl()));
        return $redirect;

[bocharsky-bw]

Hey @tacman , isn't the target URL is something that should be specified on the third-party provider side? I.e. in the GitHub/Facebook/Google app configuration? To me it sounds like you specify redirect URL with http instead of https that might be kind of OK if we're talking about debugging/development. Or could please link to the code where we force this http on our side?

[tacman]

I'll dig in some more to reproduce it. I'm just setting the path, but it looks like it should return https.

Question: What do you use to test logging in with google? I can't put https://oauth-demo.wip in as the redirect URL, so I probably need to set up some sort of proxy that redirects to my local machine.

[bocharsky-bw]

Ngrok should help with forwarding a temporary real URL to your localhost app - that's good for debugging and development, but there're also many alternatives to ngrok over the internet.

[tacman]

Thanks. No matter what I do, I can't get login with Google to work.

Using ngrok, I get through authorizing my account, then when it redirects back, I get

Error fetching OAuth credentials: "redirect_uri_mismatch".

The ngrok logs

GET /auth/connect/controller/google 403 Forbidden                                                                                                                                             
GET /auth/social_login/google       200 OK                                                                                                                                                    
GET /auth/social_login/google       500 Internal Server Error 

The PHP logs

[Application] Feb 25 16:53:29 |DEBUG  | APP    Notified event "Symfony\Component\Security\Http\Event\LoginFailureEvent" to listener "Symfony\Component\Security\Http\EventListener\RememberMeListener::clearCookie". event="Symfony\\Component\\Security\\Http\\Event\\LoginFailureEvent" listener="Symfony\\Component\\Security\\Http\\EventListener\\RememberMeListener::clearCookie"
[Application] Feb 25 16:53:29 |DEBUG  | SECURI The "Survos\AuthBundle\Security\Authenticator" authenticator set the response. Any later authenticator will not be called authenticator="Survos\\AuthBundle\\Security\\Authenticator"
[PHP        ] [Sun Feb 25 10:53:29 2024] 127.0.0.1:34590 [403]: GET /auth/connect/controller/google?state=d0223926fa02e06844a7ebdb4cc29556&code=4%2F0AeaYSHD_Bgaedg32IMV_wzsCtCmDHgn3GfPNhDH0_7ymuoNIxh-EOXik6AVCugeLWfwBeA&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent
[PHP        ] [Sun Feb 25 10:53:29 2024] 127.0.0.1:34590 Closing
[Web Server ] Feb 25 10:53:29 |WARN   | SERVER GET  (403) /auth/connect/controller/google?state=d0223926fa02e06844a7ebdb4cc29556&code=4%2F0AeaYSHD_Bgaedg32IMV_wzsCtCmDHgn3GfPNhDH0_7ymuoNIxh-EOXik6AVCugeLWfwBeA&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent ip="127.0.0.1"

Alas, I'm stuck and don't know how to debug this. It's not making it to "connect", as I have a dd() there, so it must be generating that error within a listener.

https://c388-187-244-120-218.ngrok-free.app/auth/connect/controller/google?state=d0223926fa02e06844a7ebdb4cc29556&code=4%2F0AeaYSHAxaiMhMiQqSTQSig2fMAcKC831jGmrMPd7s_M_7tgOecXKbN-VQHdn8Fg9AWUx8A&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent

                                Any suggestions?  Or even pointing me to a working github repo, I'll clone it and add my own keys just to get something to work. 

Thanks.

[tacman]

I think I've figured it out. Related to https://github.com/symfony/symfony/issues/37980.

Once I added TRUSTED_PROXIES, not only did I get the debug toolbar but my redirect was correct and I logged in locally as expected!

[tacman]

After an embarrassingly long time investigating, the issue is somewhere in here, AbstractProvider.php

    public function createProvider($class, array $options, ?string $redirectUri = null, array $redirectParams = [], array $collaborators = [])
    {
        if (null !== $redirectUri) {
            $redirectUri = $this->generator
                ->generate($redirectUri, $redirectParams, UrlGeneratorInterface::ABSOLUTE_URL);

            $options['redirectUri'] = $redirectUri;
        }

The generator at this point is CompiledUrlGenerator, which generates http rather than https.

Any suggestions?

[tacman]

My solution is to force https

    /**
     * Creates a provider of the given class.
     *
     * @param string $class
     */
    public function createProvider($class, array $options, ?string $redirectUri = null, array $redirectParams = [], array $collaborators = [])
    {
        if (null !== $redirectUri) {
            $redirectUri = $this->generator
                ->generate($redirectUri, $redirectParams, UrlGeneratorInterface::ABSOLUTE_URL);
            $redirectUri = str_replace('http:','https:', $redirectUri);

            $options['redirectUri'] = $redirectUri;
        }

        return new $class($options, $collaborators);
    }

There's likely a better way, but I don't know what it is.