C
C#•7mo ago
Brokemia

OAuth reporting bad redirect uri but only after redirect

I have a blazor app with OAuth through Discord and Google. I have this working locally fine, and I'm trying to move this to a server to deploy it. Problem is, I'm getting an error when Google/Discord redirects me back to my site. On the browser, I just see a 500 error, and in my logs I get this:
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HN4BDNS95F1R", Request id "0HN4BDNS95F1R:00000001": An unhandled exception was thrown by the application.
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> Microsoft.AspNetCore.Authentication.AuthenticationFailureException: OAuth token endpoint failure: redirect_uri_mismatch;Description=Bad Request
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HN4BDNS95F1R", Request id "0HN4BDNS95F1R:00000001": An unhandled exception was thrown by the application.
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> Microsoft.AspNetCore.Authentication.AuthenticationFailureException: OAuth token endpoint failure: redirect_uri_mismatch;Description=Bad Request
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
This looks a lot like what you'd expect to get if your redirect url wasn't specified right in the configurations for each site, but I've checked very carefully. Also, when I previously hadn't put in the url yet, it was stopping me before I could even try to sign in. Does anyone know what I'm missing here?
45 Replies
Brokemia
BrokemiaOP•7mo ago
It might be relevant that I previously had an issue where the redirect url was being passed with http rather than https and I fixed that with:
app.UseForwardedHeaders(new ForwardedHeadersOptions {
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
app.UseForwardedHeaders(new ForwardedHeadersOptions {
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});
tera
tera•7mo ago
tried ForwardedHeaders.All instead?
Brokemia
BrokemiaOP•7mo ago
That didn't seem to change anything What's that change supposed to be doing
tera
tera•7mo ago
if your app is running behind a reverse proxy it sees connections from proxy, not real client so proxy forwards information about IP, protocol, path,.. via headers X-Forwarded-For/Proto/... so you need to configure your app to consume those headers and interpret them as if its original value of request that could be one of reasons why local works and deployed does not - if its not configured properly you didnt mention reverse proxy but i assumed since you posted that snippet since redirect URL gets constructed by information from the request
Brokemia
BrokemiaOP•7mo ago
That's correct, yeah
tera
tera•7mo ago
another thing is. you need to configure your reverse proxy too. to set those headers nginx you need to explicitly configure caddy not depends which you use
Brokemia
BrokemiaOP•7mo ago
These proxy_set_header things presumably help with that. I got those from a documentation article on deploying asp.net core apps
No description
Brokemia
BrokemiaOP•7mo ago
It's very possible I missed something though
Brokemia
BrokemiaOP•7mo ago
Is there a way I can get some debug info on what the headers are that I'm actually receiving
tera
tera•7mo ago
maybe turning up logs could help to debug or something i dont remember how i debugged this do you have code public? or can at least share where you configure auth all related
Brokemia
BrokemiaOP•7mo ago
GitHub
GitHub - Brokemia/.NET-CrowdDoc
Contribute to Brokemia/.NET-CrowdDoc development by creating an account on GitHub.
Brokemia
BrokemiaOP•7mo ago
It's not quite updated, let me push Pushed
tera
tera•7mo ago
maybe inspect network tab in browser it should show a redirect param in some request compare what it is and if it should be that probably need to enable preserve logs option too
Brokemia
BrokemiaOP•7mo ago
I'm not seeing anything obviously wrong. The url for google oauth has redirect_uri=https%3A%2F%2Fbrokemia.dev%2Fsignin-google in it, which matches what I'd expect, but I'm not sure that's what's being looked for Where's that?
Brokemia
BrokemiaOP•7mo ago
I turned all the logging up to debug and got this, which doesn't seem much more informative (I censored part of the returned url because I'm not sure if it's sensitive info)
No description
Brokemia
BrokemiaOP•7mo ago
Hmm, actually, it does say http, which is weird
tera
tera•7mo ago
i meant in browser dev tools yep thats most likely issue DUH place proxy_pass line as last in that block in nginx conf pretty sure that might exit early at that
Brokemia
BrokemiaOP•7mo ago
Like this?
No description
tera
tera•7mo ago
yea
Brokemia
BrokemiaOP•7mo ago
Doesn't seem to have changed anything I made sure to restart both nginx and my app after changing that
tera
tera•7mo ago
Server Fault
Nginx config order of operations
Apologies if this is answered or documented already but I was confused on this so I'm hoping the community can provide some insight. The below example is specifically for proxy_pass and proxy_set_h...
tera
tera•7mo ago
curious.. how are your proxy and app running. both on same host? container? might need to set knownproxies/knownnetwork in usefowrardedheaders call
Brokemia
BrokemiaOP•7mo ago
Both on the same host
tera
tera•7mo ago
no containers?
Brokemia
BrokemiaOP•7mo ago
Nope
tera
tera•7mo ago
directly on host? ok then nevermind that
Brokemia
BrokemiaOP•7mo ago
Well, it's a VPS if that affects things But no containers that I'm managing or anything
tera
tera•7mo ago
nah all good idea. shut down app. type nc -lvk 5000 (it will wait for data) make any request to your page what does it receive share if you can
Brokemia
BrokemiaOP•7mo ago
GET /Account/Login HTTP/1.0
Host: brokemia.dev
X-Forwarded-Proto: https
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Microsoft Edge";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: <idk if this is sensitive>
GET /Account/Login HTTP/1.0
Host: brokemia.dev
X-Forwarded-Proto: https
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Microsoft Edge";v="125", "Chromium";v="125", "Not.A/Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: <idk if this is sensitive>
tera
tera•7mo ago
ok that means reverse proxy works... X forwarded proto set properly
Brokemia
BrokemiaOP•7mo ago
Worth noting I was midway through testing commenting out various bits so the config is like this
No description
Brokemia
BrokemiaOP•7mo ago
I can uncomment everything and retry if it matters
tera
tera•7mo ago
its ok no need for me so its app config hm 😄 im lost
Brokemia
BrokemiaOP•7mo ago
This has been at least somewhat helpful in figuring out what part of this actually is having the issue
tera
tera•7mo ago
@Brokemia try put UseForwardedHeaders at the top after building the app
Brokemia
BrokemiaOP•7mo ago
Like right here?
No description
tera
tera•7mo ago
da Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. To run Forwarded Headers Middleware after diagnostics and error handling middleware, see Forwarded Headers Middleware order. https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-8.0
Brokemia
BrokemiaOP•7mo ago
Doesn't seem to have worked. One thing I noticed, is that with some of the requests blazor is using, the "Request starting" message has http and the "Request finished" message has https
Brokemia
BrokemiaOP•7mo ago
No description
No description
Brokemia
BrokemiaOP•7mo ago
Got a slightly better clue of what's happening. I saw this app.Use thing in the article you mentioned and tried to do some logging with it
No description
Brokemia
BrokemiaOP•7mo ago
It seems like for the signin-google endpoint, the app.Use logs are never actually happening, and presumably neither is the header forwarding I think the oauth library is putting its handling of that endpoint before any of the middleware I can add myself Figured it out! Apparently, I can add app.UseAuthentication(); to choose where the authentication middleware runs. I put it right after the header forwarding and it works now
tera
tera•7mo ago
Nice! yeah middleware order is important 😄
Brokemia
BrokemiaOP•7mo ago
I didn't have it at all before, so I had no idea I needed it until I found some docs that mentioned it
tera
tera•7mo ago
OH yea that totally makes sense now
Want results from more Discord servers?
Add your server