search

zendesk / samson

Web interface for deployments, with plugin architecture and kubernetes support
Other
1.45k stars 234 forks source link

redirect_uri_mismatch #2654

Open ivomarino opened 6 years ago

ivomarino commented 6 years ago

hi all, we're running Samson as a Docker container behind HAProxy which also does SSL termination, the service is available as, let's say, http://deploy.dev.foo.com -- the following environment settings have been set:

        DATABASE_URL: "sqlite3://db/development.sqlite"
        DEFAULT_URL: "https://deploy.dev.foo.com"
        SECRET_TOKEN: "whatever"
        AUTH_GITHUB: "true"
        GITHUB_TOKEN: "whatever"
        GITHUB_ORGANIZATION: "foo"
        GITHUB_ADMIN_TEAM: "foo"
        GITHUB_CLIENT_ID: "whatever"
        GITHUB_SECRET: "whatever"
        # RAILS_ENV: "production"
        # RACK_ENV: "production"
        RAILS_ENV: "development"
        RACK_ENV: "development"
        FORCE_SSL: 1

after trying to log-in via GitHub we always get this error message: redirect_uri_mismatch | The redirect_uri MUST match the registered callback URL for this application. | https://developer.github.com/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/#redirect-uri-mismatch:

screen shot 2018-03-17 at 14 57 19

OAuth authentication has been set this way:

screen shot 2018-03-17 at 15 11 34

any suggestions? Thanks.

grosser commented 6 years ago

make sure haproxy passes on http_x_forwarded_proto so samson knows that it is actually running in https

did you try setting the authorization callback url to http ? otherwise try to hack oauth to tell you what the actual url was ... might be a good PR for oauth anyway ... I think I ran into this error too :/

ivomarino commented 6 years ago

the chain is haproxy -> nginx reverse proxy -> Samson, I have to check if header infos are forwarded.

ivomarino commented 6 years ago

I can’t actually use HTTP cause HAProxy actually forces HTTPS (redirect), I can try to turn that off anyway if you think the issue is HTTPS.

grosser commented 6 years ago

setting the auth url to http might work even if it is redirected

On Sat, Mar 17, 2018 at 8:11 AM, Ivo Marino notifications@github.com wrote:

I can’t actually use HTTP cause HAProxy actually forces HTTPS (redirect), I can try to turn that off anyway if you think the issue is HTTPS.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-373927381, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ1giP6922saDMADzUG9VbjLAxAZKks5tfSe5gaJpZM4Su0TW .

ivomarino commented 6 years ago

@grosser just tested, running everything on HTTP only works, as soon as I use https://deploy.dev.foo.com I can't login.

ivomarino commented 6 years ago

I've checked the vars using Apache2 and PHP:

HTTP_X_REAL_IP => 192.168.120.1 
HTTP_X_FORWARDED_FOR => xxx.xxx.xxx.xxx, 192.168.120.1 
HTTP_X_FORWARDED_PROTO => https 
HTTP_X_FORWARDED_SSL => off 
HTTP_X_FORWARDED_PORT => 80

this is basically just another container running on the same node where samson runs so what applies to this also applies to samson. Does Samson use HTTP_X_FORWARDED_PROTO or similar? I'm accessing this stuff via https://debug.dev.foo.com.

grosser commented 6 years ago

hmm I think the error comes from githubs side via oauth see omniauth-oauth2-1.4.0/lib/omniauth/strategies/oauth2.rb:66

does it work when only setting the callback url to http ?

I think the issue comes from samson sending out a request like "hey call me back on http://" and then github say "nope!"

callback_url comes from omniauth-1.6.1/lib/omniauth/strategy.rb:410 so might be fixable by setting OmniAuth.config.full_host = "https://debug.dev.foo.com" in samsons config/initializers/omniauth.rb

let me know if that works ... might also be good to inspect the request env, it should be visible on that error page you saw ... check for HTTP_X_FORWARDED_PROTO

ivomarino commented 6 years ago

@grosser I check thats, thanks. Is there anyway for printing HTTP_X_FORWARDED_PROTO form puma, etc?

grosser commented 6 years ago

the error page should show all the request env if not add something like raise request.env.inspect to for example the ping_controller.rb

On Mon, Mar 19, 2018 at 11:13 AM, Ivo Marino notifications@github.com wrote:

@grosser https://github.com/grosser I check thats, thanks. Is there anyway for printing HTTP_X_FORWARDED_PROTO form puma, etc?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-374312728, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZwh6pab7Ib3RIl6suZI9V9GwXZmTks5tf_VdgaJpZM4Su0TW .

ivomarino commented 6 years ago

seems to work now, had to set auth URL to https://deploy.dev.foo.com/auth/github/callback and mount modified app/config/initializers/omniauth.rb:/app/config/initializers/omniauth.rb into the container we're I've set OmniAuth.config.full_host = "https://deploy.dev.foo.com".

grosser commented 6 years ago

so that confirms it's an issue with the protocol not being passed through to puma ... I'd recommend fixing the underlying issue then to get get more surprises in the future ... I guess we need some readme docs for "you should forward protocol blabla" ...

On Mon, Mar 19, 2018 at 11:34 AM, Ivo Marino notifications@github.com wrote:

seems to work now, had to set auth URL to https://deploy.dev.foo.com/ auth/github/callback and mount modified app/config/initializers/ omniauth.rb:/app/config/initializers/omniauth.rb into the container we're I've set OmniAuth.config.full_host = "https://debug.dev.foo.com".

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-374319457, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ8GqLG59THUQovGwJUgVX3lcicRfks5tf_o-gaJpZM4Su0TW .

ivomarino commented 6 years ago

@grosser seems so, I will double check that by printing X-vars then. Thanks for help;) regarding memcached, is it required? thanks

grosser commented 6 years ago

please post your results here for others with that setup :)

memcached is required atm will be opt-out with CACHE_STORE=memory once https://github.com/zendesk/samson/pull/2657 is merged in-memory store is just fine unless you restart samson a bunch of times :)

On Mon, Mar 19, 2018 at 11:48 AM, Ivo Marino notifications@github.com wrote:

@grosser https://github.com/grosser seems so, I will double check that by printing X-vars then. Thanks for help;) regarding memcached, is it required? thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2654#issuecomment-374323854, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZ3qyDZpOWZChmqqernyz-jtoLvU2ks5tf_12gaJpZM4Su0TW .