OIDC - redirect URI problem
Hi, unfortunately SSO with OIDC isn't working for me. When I try to sign in using SSO I get an error from the SSO provider that the redirect uri isn't the same as the one I have set up.
It's caused by the fact that Homarr sets the redirect uri as http and not as https. I can't add the http version of the uri to my app config, because the redirect uri "Must start with HTTPS". Is there any way to force homarr to use https even in the redirect uri?
I'm running Homarr 0.15.3 on Ubuntu 22.04 using docker compose.
Solution:Jump to solution
And adding
RequestHeader set X-Forwarded-Proto "https" to the Apache config has resolved it35 Replies
Thank you for submitting a support request.
Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Have you set up the NEXTAUTH_URL env variable?
if yes then provide more information about your setup, like asked by cakey bot
version: '3'
#---------------------------------------------------------------------#
# Homarr - A simple, yet powerful dashboard for your server. #
#---------------------------------------------------------------------#
services:
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/homarr/configs:/app/data/configs
- /etc/homarr/icons:/app/public/icons
- /etc/homarr/data:/data
ports:
- '7575:7575'
environment:
TZ: "Europe/Prague"
DISABLE_ANALYTICS: "true"
AUTH_PROVIDER: "oidc,credentials"
AUTH_OIDC_CLIENT_NAME: "Microsoft"
AUTH_OIDC_CLIENT_ID: "AAAA"
AUTH_OIDC_CLIENT_SECRET: "XYYY"
AUTH_OIDC_URI: "https://login.microsoftonline.com/XXXXX/"
NEXTAUTH_URL: "https://homarr.example.com"
AUTH_SESSION_EXPIRY_TIME: "365d"
BASE_URL: "https://homarr.example.com"
I'm running Homarr 0.15.3 on Ubuntu 22.04 using docker compose.
I have tried this on my PC - Chrome and Edge, phone - Chromeoh wow, Microsoft as the OIDC provider.
Firstly, I am guessing you actually have a real address for your homarr, for which you own the domain.
if you have setup homarr properly as https and the nextauth_URL, then that address is used as the redirect_URI in the call homarr makes.
that exact same address needs to be given to your SSO provider in the list of accepted redirect_URIs
Yeah, but microsoft forces me to use an https address
And homarr uses the http version of the address
Are you accessing homarr using http?
Yes
Homarr -> NEXTAUTH_URL : https://homarr.domain.tld
SSO -> Redirect URI : https://homarr.domain.tld/api/auth/callback/oidc
Looking at the code, the only way the wrong protocol would be used is for something to be wrong with headers. I'll dig a bit more
Great, thanks
This is a bit weird, there's no reason for you to get the wrong protocol.
This address is built before being sent in the request so the SSO provider should not matter.
The only thing I could see is adding a few more env vars pertaining to nextauth.
NEXTAUTH_SECRET : _whatever_you_wantpassword
NEXTAUTH_URL_INTERNAL : set to same as Nextauth URL
Added them and unfortunately I'm still getting the same error
@Meierschlumpf Any idea? Is Nextauth having a stroke or something?
So, I just tried OIDC with Okta instead of Microsoft. In Okta I am able to add the http version of the url, so I was almost able to login. Saying almost because I kept getting an OAuthCallback error. Using logs in Homarr I found this:
invalid_grant (The 'redirect_uri' does not match the redirection URI used in the authorization request.) And then in Okta I found that the login uri uses http and then the uri for getting the token uses https.I am oh so deeply confused now
Same
In any case you shouldn't have to use a different protocol, if your homarr is https, then the redirect URI should be https too.
since the redirect uri is built server side, changing browsers wouldn't change anything.
OH. Could it be the way your proxy manager is configured?
Are you blocking certain headers, or would they be removed by default, by the proxy
Give me a moment to look, as I have no idea
Ok, so I just found out that my VPN comes with a proxy config, so let me check on what rules it uses
Ok so they apparently have no idea, but even after disabling it - not using any proxy at all, the issue is still here
And just to be safe, I have just tried it on a different computer on a different network and still got the same error
I think the only way I see with using microsoft as your auth is making homarr run on https, what is not the case if I understood correctly
For me it is obviously working with http://localhost, but you'll probably use another domain
I have homarr running on https
Okay, let me check the code then, redirect uri we're talking about, right?
Yes
Okay and do you have a proxy that would add headers like
x-forwarded-proto?I don't have a proxy at all
Okay I might have found the issue in our code then, I'll check if there is a good way arround this, if so I'll try to publish you a custom image you can try so we are sure it works for you, okay?
Great, thanks!
Okay, I'm currently publishing a new Image you'll be able to try out. Not 100% sure if it will resolve your issue, but worth a try. I've added a log statement that should log the protocol it is using and the source of it so we'll be able to investigate further if the issue persists. If we can fix it with that change I did we'll publish it in the upcoming release or you will be able to use in on the dev image once it's merged.
I'll send you the tag once it's ready
Okay the tag would be
oidc-redirect-uri-https-problem, good nightGreat, thank you, good night
Ok, so I have changed the tag to the new one and unfortunately it still isn't working and here are the logs
homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto
homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto
homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto
homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto
homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto
homarr | Constructing redirect uri protocol="http" source=x-forwarded-proto (repeated 2 times)Okay but we now know, that the protocol it is using comes from x-forwarded-proto, which IMO means, that there is some sort of proxy in between that converts your request from https to http
Okay, but I don't use a proxy server, I haven't configured it anywhere and tbh have no idea how to configure it
Is there any way to check if I'm using a proxy or not?
Ok so I just found out what it was, in Apache there was the proxy causing it
Solution
And adding
RequestHeader set X-Forwarded-Proto "https" to the Apache config has resolved itThank you very much for helping me!
Okay so there is no need to publish a new image if I understand correctly as x-forwarded-proto is now used anyway. Perfect, have a nice day!