Comments (10)
Looks like I just need to modify settings.py or set REDIRECT_URI like the other env vars.
https://github.com/lyft/confidant/blob/1.1/confidant/authnz/userauth.py#L126-L127
confidant/confidant/settings.py
Line 75 in 4412f71
Sorry for the spurious report.
from confidant.
Still redirects to http instead of https with the REDIRECT_URI env var set. I can see it with ps auxef.
Also hardcoded it in settings.py
# Google Auth
export REDIRECT_URI='https://confidant.example.com.au'
# The client id and consumer secret from the google developer console.
export GOOGLE_OAUTH_CLIENT_ID='foo.apps.googleusercontent.com'
export GOOGLE_OAUTH_CONSUMER_SECRET='foo'
export GOOGLE_AUTH_EMAIL_SUFFIX='example.com.au'
from confidant.
I tcpdumped all outgoing traffic during an attempted login on the confidant box.
As you can see, confidant is ignoring the redirect URI and sending the URI to Oauth as http scheme (even when its hardcoded in the redirect() )
SSLify is on of course.
HTTP/1.1 302 Found
Server: gunicorn/19.3.0
Date: Tue, 24 May 2016 21:22:45 GMT
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Location: https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=foobar&redirect_uri=http%3A%2F%2Fconfidant.example.com.au%2F&response_type=code&client_id=foobar.apps.googleusercontent.com
Set-Cookie: confidant_session=foobar; Expires=Fri, 24-Jun-2016 21:22:45 GMT; HttpOnly; Path=/
Set-Cookie: confidant_session=foo.bar; Expires=Fri, 24-Jun-2016 21:22:45 GMT; HttpOnly; Path=/
Content-Length: 0
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
from confidant.
workaround
I added a 80 -> 80 listener on my ELB
and an Nginx forced ssl rewrite.
This requires modifying the Oauth with the following, Oauth doesnt seem to mind after the initial 302.
###authorized redirect_uri
http://confidant.example.com.au
http://confidant.example.com.au/v1/login
http://confidant.example.com.au/ #note it did not work till I added this URI
###I was able to leave the JS domain to https scheme.
https://confidant.example.com.au/
server {
listen 80;
server_name confidant.example.com.au;
rewrite ^(.*)$ https://confidant.example.com.au$1;
}
from confidant.
I think you're running into this issue: #50
from confidant.
You should be able to either set the FORWARDED_ALLOW_IPS
environment variable, or set --forwarded-allow-ips=*
. Without doing this, gunicorn will strip the X-Forwarded-* headers, and the authomatic won't know it needs to change the protocol.
from confidant.
Thanks Ryan, Ill give it a shot.
Do you accept PR on the Doc? I would like to add this as the doc recommends a particular way of running gunicorn and also to use an ELB, Which will not work.
from confidant.
Yeah, we're happy to accept PRs on docs without signing our CLA. We're happy to consider all PRs, if you sign the CLA :)
from confidant.
Thanks Ryan, I can confirm the --forwarded-allow-ips=* works correctly.
Ill do my best to find time this week to get a PR going. Ive found a few things which would definitely help new users.
from confidant.
Awesome. Thanks!
from confidant.
Related Issues (20)
- Docker gunicorn process correctly starts up but doesn't run the app HOT 6
- Confidant strips newlines when submitting credentials through webpage HOT 6
- issue with SAML HOT 4
- Manage dependency versions with pip-compile-multi? HOT 1
- More Webhook support HOT 10
- Issue running confidant in development mode (encryption disabled) HOT 3
- TypeError: from_buffer() cannot return the address of a unicode object HOT 3
- TypeError: a bytes-like object is required, not 'str' HOT 4
- Confidant k8s HOT 1
- Fix python dist to work with toastedmarshmallow/webargs HOT 2
- Google Auth - not getting user email HOT 17
- Don't show "Add tag" UI if no server defined tags exist in the client config data HOT 1
- if HISTORY_PAGE_LIMIT isn't set, then the UI will fetch no history records HOT 1
- [Documentation]: USERS_FILE is compatible with multiple auth backends
- [Documentation]: Posting credentials states enabled is defaulted to true, but fails during POST
- Incorrect Google auth redirect URL when using proxy HOT 3
- problem HOT 1
- NoCredentialsError: Unable to locate credentials
- Dockerfile vs Dockerhub Image HOT 2
- Webhook Event Connection Timeout
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from confidant.