H
Homarr5mo ago
Maty

OIDC - redirect URI problem

Hi, unfortunately SSO with OIDC isn't working for me. When I try to sign in using SSO I get an error from the SSO provider that the redirect uri isn't the same as the one I have set up. It's caused by the fact that Homarr sets the redirect uri as http and not as https. I can't add the http version of the uri to my app config, because the redirect uri "Must start with HTTPS". Is there any way to force homarr to use https even in the redirect uri? I'm running Homarr 0.15.3 on Ubuntu 22.04 using docker compose.
Solution:
And adding RequestHeader set X-Forwarded-Proto "https" to the Apache config has resolved it
Jump to solution
35 Replies
Cakey Bot
Cakey Bot5mo ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Serenaphic
Serenaphic4mo ago
Have you set up the NEXTAUTH_URL env variable? if yes then provide more information about your setup, like asked by cakey bot
Maty
MatyOP4mo ago
version: '3' #---------------------------------------------------------------------# # Homarr - A simple, yet powerful dashboard for your server. # #---------------------------------------------------------------------# services: homarr: container_name: homarr image: ghcr.io/ajnart/homarr:latest restart: unless-stopped volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/homarr/configs:/app/data/configs - /etc/homarr/icons:/app/public/icons - /etc/homarr/data:/data ports: - '7575:7575' environment: TZ: "Europe/Prague" DISABLE_ANALYTICS: "true" AUTH_PROVIDER: "oidc,credentials" AUTH_OIDC_CLIENT_NAME: "Microsoft" AUTH_OIDC_CLIENT_ID: "AAAA" AUTH_OIDC_CLIENT_SECRET: "XYYY" AUTH_OIDC_URI: "https://login.microsoftonline.com/XXXXX/" NEXTAUTH_URL: "https://homarr.example.com" AUTH_SESSION_EXPIRY_TIME: "365d" BASE_URL: "https://homarr.example.com" I'm running Homarr 0.15.3 on Ubuntu 22.04 using docker compose. I have tried this on my PC - Chrome and Edge, phone - Chrome
Serenaphic
Serenaphic4mo ago
oh wow, Microsoft as the OIDC provider. Firstly, I am guessing you actually have a real address for your homarr, for which you own the domain. if you have setup homarr properly as https and the nextauth_URL, then that address is used as the redirect_URI in the call homarr makes. that exact same address needs to be given to your SSO provider in the list of accepted redirect_URIs
Maty
MatyOP4mo ago
Yeah, but microsoft forces me to use an https address And homarr uses the http version of the address
Serenaphic
Serenaphic4mo ago
Are you accessing homarr using http?
Maty
MatyOP4mo ago
Yes
Serenaphic
Serenaphic4mo ago
Maty
MatyOP4mo ago
No description
Maty
MatyOP4mo ago
No description
Serenaphic
Serenaphic4mo ago
Looking at the code, the only way the wrong protocol would be used is for something to be wrong with headers. I'll dig a bit more
Maty
MatyOP4mo ago
Great, thanks
Serenaphic
Serenaphic4mo ago
This is a bit weird, there's no reason for you to get the wrong protocol. This address is built before being sent in the request so the SSO provider should not matter. The only thing I could see is adding a few more env vars pertaining to nextauth. NEXTAUTH_SECRET : _whatever_you_wantpassword NEXTAUTH_URL_INTERNAL : set to same as Nextauth URL
Maty
MatyOP4mo ago
Added them and unfortunately I'm still getting the same error
Serenaphic
Serenaphic4mo ago
@Meierschlumpf Any idea? Is Nextauth having a stroke or something?
Maty
MatyOP4mo ago
So, I just tried OIDC with Okta instead of Microsoft. In Okta I am able to add the http version of the url, so I was almost able to login. Saying almost because I kept getting an OAuthCallback error. Using logs in Homarr I found this: invalid_grant (The 'redirect_uri' does not match the redirection URI used in the authorization request.) And then in Okta I found that the login uri uses http and then the uri for getting the token uses https.
Serenaphic
Serenaphic4mo ago
I am oh so deeply confused now
Maty
MatyOP4mo ago
Same
Serenaphic
Serenaphic4mo ago
In any case you shouldn't have to use a different protocol, if your homarr is https, then the redirect URI should be https too. since the redirect uri is built server side, changing browsers wouldn't change anything. OH. Could it be the way your proxy manager is configured? Are you blocking certain headers, or would they be removed by default, by the proxy
Maty
MatyOP4mo ago
Give me a moment to look, as I have no idea Ok, so I just found out that my VPN comes with a proxy config, so let me check on what rules it uses Ok so they apparently have no idea, but even after disabling it - not using any proxy at all, the issue is still here And just to be safe, I have just tried it on a different computer on a different network and still got the same error
Meierschlumpf
Meierschlumpf4mo ago
I think the only way I see with using microsoft as your auth is making homarr run on https, what is not the case if I understood correctly For me it is obviously working with http://localhost, but you'll probably use another domain
Maty
MatyOP4mo ago
I have homarr running on https
Meierschlumpf
Meierschlumpf4mo ago
Okay, let me check the code then, redirect uri we're talking about, right?
Maty
MatyOP4mo ago
Yes
Meierschlumpf
Meierschlumpf4mo ago
Okay and do you have a proxy that would add headers like x-forwarded-proto?
Maty
MatyOP4mo ago
I don't have a proxy at all
Meierschlumpf
Meierschlumpf4mo ago
Okay I might have found the issue in our code then, I'll check if there is a good way arround this, if so I'll try to publish you a custom image you can try so we are sure it works for you, okay?
Maty
MatyOP4mo ago
Great, thanks!
Meierschlumpf
Meierschlumpf4mo ago
Okay, I'm currently publishing a new Image you'll be able to try out. Not 100% sure if it will resolve your issue, but worth a try. I've added a log statement that should log the protocol it is using and the source of it so we'll be able to investigate further if the issue persists. If we can fix it with that change I did we'll publish it in the upcoming release or you will be able to use in on the dev image once it's merged. I'll send you the tag once it's ready Okay the tag would be oidc-redirect-uri-https-problem, good night
Maty
MatyOP4mo ago
Great, thank you, good night Ok, so I have changed the tag to the new one and unfortunately it still isn't working and here are the logs homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto (repeated 2 times)
Meierschlumpf
Meierschlumpf4mo ago
Okay but we now know, that the protocol it is using comes from x-forwarded-proto, which IMO means, that there is some sort of proxy in between that converts your request from https to http
Maty
MatyOP4mo ago
Okay, but I don't use a proxy server, I haven't configured it anywhere and tbh have no idea how to configure it Is there any way to check if I'm using a proxy or not? Ok so I just found out what it was, in Apache there was the proxy causing it
Solution
Maty
Maty4mo ago
And adding RequestHeader set X-Forwarded-Proto "https" to the Apache config has resolved it
Maty
MatyOP4mo ago
Thank you very much for helping me!
Meierschlumpf
Meierschlumpf4mo ago
Okay so there is no need to publish a new image if I understand correctly as x-forwarded-proto is now used anyway. Perfect, have a nice day!
Want results from more Discord servers?
Add your server