OAuth reporting bad redirect uri but only after redirect
I have a blazor app with OAuth through Discord and Google. I have this working locally fine, and I'm trying to move this to a server to deploy it. Problem is, I'm getting an error when Google/Discord redirects me back to my site. On the browser, I just see a 500 error, and in my logs I get this:
This looks a lot like what you'd expect to get if your redirect url wasn't specified right in the configurations for each site, but I've checked very carefully. Also, when I previously hadn't put in the url yet, it was stopping me before I could even try to sign in.
Does anyone know what I'm missing here?
45 Replies
It might be relevant that I previously had an issue where the redirect url was being passed with http rather than https and I fixed that with:
tried ForwardedHeaders.All instead?
That didn't seem to change anything
What's that change supposed to be doing
if your app is running behind a reverse proxy
it sees connections from proxy, not real client
so proxy forwards information about IP, protocol, path,.. via headers
X-Forwarded-For/Proto/...
so you need to configure your app to consume those headers and interpret them as if its original value of request
that could be one of reasons why local works and deployed does not - if its not configured properly
you didnt mention reverse proxy but i assumed since you posted that snippet
since redirect URL gets constructed by information from the request
That's correct, yeah
another thing is. you need to configure your reverse proxy too. to set those headers
nginx you need to explicitly configure
caddy not
depends which you use
These
proxy_set_header things presumably help with that. I got those from a documentation article on deploying asp.net core apps
It's very possible I missed something though
Install Nginx and configure it as a reverse proxy server - ASP.NET ...
This article describes how to install Nginx and configure it as a reverse proxy server.
Is there a way I can get some debug info on what the headers are that I'm actually receiving
maybe turning up logs could help
to debug or something
i dont remember how i debugged this
do you have code public?
or can at least share where you configure auth
all related
GitHub
GitHub - Brokemia/.NET-CrowdDoc
Contribute to Brokemia/.NET-CrowdDoc development by creating an account on GitHub.
It's not quite updated, let me push
Pushed
maybe inspect network tab in browser it should show a redirect param in some request
compare what it is and if it should be that
probably need to enable preserve logs option too
I'm not seeing anything obviously wrong. The url for google oauth has
redirect_uri=https%3A%2F%2Fbrokemia.dev%2Fsignin-google in it, which matches what I'd expect, but I'm not sure that's what's being looked for
Where's that?I turned all the logging up to debug and got this, which doesn't seem much more informative (I censored part of the returned url because I'm not sure if it's sensitive info)
Hmm, actually, it does say http, which is weird
i meant in browser dev tools
yep thats most likely issue
DUH
place proxy_pass line as last
in that block in nginx conf
pretty sure that might exit early at that
Like this?
yea
Doesn't seem to have changed anything
I made sure to restart both nginx and my app after changing that
yea.. nevermind that 😬
https://serverfault.com/questions/1120567/nginx-config-order-of-operations
Server Fault
Nginx config order of operations
Apologies if this is answered or documented already but I was confused on this so I'm hoping the community can provide some insight.
The below example is specifically for proxy_pass and proxy_set_h...
curious.. how are your proxy and app running. both on same host? container?
might need to set knownproxies/knownnetwork in usefowrardedheaders call
Both on the same host
no containers?
Nope
directly on host?
ok
then nevermind that
Well, it's a VPS if that affects things
But no containers that I'm managing or anything
nah all good
idea. shut down app. type
nc -lvk 5000 (it will wait for data)
make any request to your page
what does it receive
share if you can
ok that means reverse proxy works...
X forwarded proto set properly
Worth noting I was midway through testing commenting out various bits so the config is like this
I can uncomment everything and retry if it matters
its ok no need for me
so its app config
hm 😄 im lost
This has been at least somewhat helpful in figuring out what part of this actually is having the issue
@Brokemia try put UseForwardedHeaders at the top after building the app
Like right here?
da
Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. To run Forwarded Headers Middleware after diagnostics and error handling middleware, see Forwarded Headers Middleware order.
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-8.0
Doesn't seem to have worked.
One thing I noticed, is that with some of the requests blazor is using, the "Request starting" message has http and the "Request finished" message has https
Got a slightly better clue of what's happening. I saw this app.Use thing in the article you mentioned and tried to do some logging with it
It seems like for the signin-google endpoint, the app.Use logs are never actually happening, and presumably neither is the header forwarding
I think the oauth library is putting its handling of that endpoint before any of the middleware I can add myself
Figured it out!
Apparently, I can add
app.UseAuthentication(); to choose where the authentication middleware runs. I put it right after the header forwarding and it works nowNice!
yeah middleware order is important 😄
I didn't have it at all before, so I had no idea I needed it until I found some docs that mentioned it
OH
yea that totally makes sense now