Mismatching redirect URI when logging in to superset

[ravikhetani]

Hi,

I've spent some time debugging this issue but have been unable to find where the problem code is. I have installed the plugin using the palm release on both an existing instance I had running and then a fresh installation to ensure that it wasn't something related to my configuration.

I'm running an instance with SSL enabled, I'm able to access https://data.mydomain, when I click login via SSO, I get a Mismatching redirect URI error - having looked at the http response, I can see that it's because the redirect URI is using the http scheme, instead of https.

As far as I can see, the correct client_id is being using cairn-sso, which has the redirect https redirect URI value - so somewhere along the line, the scheme is being changed to http - possibly in caddy? Although I couldn't see anything that would be affecting just superset specifically - studio and cms are both working completely fine over tls.

As mentioned, I've tested this with a fresh installation, with the plugin installed, on AWS using deploying using tutor via docker-compose, so it should be relatively straightforward to reproduce.

Let me know if you need further information.

[ravikhetani]

So I've done some digging around and found the issue. In tutorcairn/templates/cairn/apps/superset/superset_config.py, it looks like you are setting ENABLE_PROXY_FIX = True only if ENABLE_WEB_PROXY is set to false:

{% if not ENABLE_WEB_PROXY %} ENABLE_PROXY_FIX = True {% endif %}

Which I think is supposed to be set to true if a web proxy is being used, otherwise as per Supersets documentation, X-Forwarded-Proto header set by caddy will not be respected, therefore, superset will default to the http scheme instead of https.

I have tested by overriding the env file and setting ENABLE_PROXY_FIX = True, and it seems to have resolved the issue.

[ravikhetani]

I can add in a pull request to update this to the following, if you're happy with the change

{% if ENABLE_WEB_PROXY %} ENABLE_PROXY_FIX = True {% endif %}

[regisb]

Hi @ravikhetani! Just to make sure: what is the value of tutor config printvalue ENABLE_HTTPS? It should be true.

[ravikhetani]

Hi @regisb, that value is set to true, but if it's true, then the current code doesn't set ENABLE_PROXY_FIX = true, which then means superset ignores the X-Forwarded-Proto header set by caddy, and sets the oauth redirect url to http rather https.

[regisb]

@ravikhetani Sorry for my slowness. Let me get this straight: what's the output of tutor config printvalue ENABLE_WEB_PROXY for you?

[ravikhetani]

@regisb no problem - the output of tutor config printvalue ENABLE_WEB_PROXY is true

[regisb]

when I click login via SSO, I get a Mismatching redirect URI error - having looked at the http response, I can see that it's because the redirect URI is using the http scheme, instead of https.

I should have seen this right away. Just run the following:

tutor config save --set ENABLE_HTTPS=true
tutor local launch

After that, try again to login. The redirect URI should definitely not be http.

[ravikhetani]

Hi @regisb ENABLE_HTTPS is already set to true, as mentioned my instance is running over TLS.

I think this is specifically a superset issue, I think it will use the http scheme unless instructed not do so. As we are running with caddy, which terminates ssl and then reverse proxies the request, it sets the X-Forwarded-Proto header, to indicate that the origin request was over tls, but this is ignored by superset unless ENABLE_PROXY_FIX = True, but the logic in superset_config.py says only set that value to True if Enable Web Proxy is set to false, as per this line {% if not ENABLE_WEB_PROXY %} ENABLE_PROXY_FIX = True {% endif %} - which is the issue. I manually edited superset_config.py and updated the line to the following {% if ENABLE_WEB_PROXY %} ENABLE_PROXY_FIX = True {% endif %}, which is what resolved the issue for me.

It looks like this issue is repeatable (albeit they haven't added their config) - https://discuss.openedx.org/t/error-invalid-request-mismatching-redirect-uri-when-logging-in-to-cairn/11111

[ravikhetani]

Here is my config.yml if it helps

CAIRN_CLICKHOUSE_PASSWORD: <OBFUSCATED>
CAIRN_POSTGRESQL_PASSWORD: <OBFUSCATED>
CAIRN_SSO_CLIENT_ID: cairn-sso
CAIRN_SSO_CLIENT_SECRET: <OBFUSCATED>
CAIRN_SUPERSET_SECRET_KEY: <OBFUSCATED>
CMS_HOST: <OBFUSCATED>
CMS_OAUTH2_SECRET: <OBFUSCATED>
CODEJAIL_SECRET_KEY: <OBFUSCATED>
CONTACT_EMAIL: <OBFUSCATED>
ENABLE_HTTPS: true
ID: <OBFUSCATED>
JWT_RSA_PRIVATE_KEY: <OBFUSCATED>
LANGUAGE_CODE: en
LMS_HOST: edx.<my-domain>.org
MYSQL_ROOT_PASSWORD: <OBFUSCATED>
NOTES_MYSQL_PASSWORD: <OBFUSCATED>
NOTES_OAUTH2_SECRET: <OBFUSCATED>
NOTES_SECRET_KEY: <OBFUSCATED>
OPENEDX_MYSQL_PASSWORD: <OBFUSCATED>
OPENEDX_SECRET_KEY: <OBFUSCATED>
PLATFORM_NAME: TBI Edx
PLUGINS:
- cairn
- codejail
- cors
- forum
- google-analytics
- mfe
- notes
- xqueue
PLUGIN_INDEXES:
- https://overhang.io/tutor/main
- https://overhang.io/tutor/contrib
RUN_SMTP: false
SMTP_HOST: email-smtp.eu-north-1.amazonaws.com
SMTP_PASSWORD: <OBFUSCATED>
SMTP_PORT: 587
SMTP_USERNAME: <OBFUSCATED>
SMTP_USE_SSL: false
SMTP_USE_TLS: true
XQUEUE_AUTH_PASSWORD: <OBFUSCATED>
XQUEUE_MYSQL_PASSWORD: <OBFUSCATED>
XQUEUE_SECRET_KEY: <OBFUSCATED>

[ravikhetani]

Is it possible to have me added to the repo so that I can submit a pull request?

[regisb]

Right, I was finally able to reproduce your issue on a live server. You're right that we need to remove the {% if not ENABLE_WEB_PROXY %} clause. Would you like to open a PR or should I do it? (you do not need to be added to the repo to open a PR)

[ravikhetani]

More than happy to open one!

[regisb]

Awesome :) Make sure to follow the recommendations from https://docs.tutor.overhang.io/tutor.html#contributing Also, include a changelog entry with scriv create.