Oauth reports unauthorized redirect URI with wrong scheme about confidant HOT 10 CLOSED

Looks like I just need to modify settings.py or set REDIRECT_URI like the other env vars.

https://github.com/lyft/confidant/blob/1.1/confidant/authnz/userauth.py#L126-L127

Sorry for the spurious report.

from confidant.

Still redirects to http instead of https with the REDIRECT_URI env var set. I can see it with ps auxef.

Also hardcoded it in settings.py

# Google Auth
export REDIRECT_URI='https://confidant.example.com.au'
# The client id and consumer secret from the google developer console.
export GOOGLE_OAUTH_CLIENT_ID='foo.apps.googleusercontent.com'
export GOOGLE_OAUTH_CONSUMER_SECRET='foo'
export GOOGLE_AUTH_EMAIL_SUFFIX='example.com.au'

from confidant.

I tcpdumped all outgoing traffic during an attempted login on the confidant box.

As you can see, confidant is ignoring the redirect URI and sending the URI to Oauth as http scheme (even when its hardcoded in the redirect() )

SSLify is on of course.

HTTP/1.1 302 Found
Server: gunicorn/19.3.0
Date: Tue, 24 May 2016 21:22:45 GMT
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Location: https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=foobar&redirect_uri=http%3A%2F%2Fconfidant.example.com.au%2F&response_type=code&client_id=foobar.apps.googleusercontent.com
Set-Cookie: confidant_session=foobar; Expires=Fri, 24-Jun-2016 21:22:45 GMT; HttpOnly; Path=/
Set-Cookie: confidant_session=foo.bar; Expires=Fri, 24-Jun-2016 21:22:45 GMT; HttpOnly; Path=/
Content-Length: 0
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'

from confidant.

workaround

I added a 80 -> 80 listener on my ELB

and an Nginx forced ssl rewrite.

This requires modifying the Oauth with the following, Oauth doesnt seem to mind after the initial 302.
###authorized redirect_uri
http://confidant.example.com.au
http://confidant.example.com.au/v1/login
http://confidant.example.com.au/ #note it did not work till I added this URI

###I was able to leave the JS domain to https scheme.

https://confidant.example.com.au/

    server {
        listen 80;
        server_name confidant.example.com.au;
            rewrite ^(.*)$ https://confidant.example.com.au$1;
    }   

from confidant.

I think you're running into this issue: #50

from confidant.

You should be able to either set the FORWARDED_ALLOW_IPS environment variable, or set --forwarded-allow-ips=*. Without doing this, gunicorn will strip the X-Forwarded-* headers, and the authomatic won't know it needs to change the protocol.

from confidant.

Thanks Ryan, Ill give it a shot.

Do you accept PR on the Doc? I would like to add this as the doc recommends a particular way of running gunicorn and also to use an ELB, Which will not work.

from confidant.

Yeah, we're happy to accept PRs on docs without signing our CLA. We're happy to consider all PRs, if you sign the CLA :)

from confidant.

Thanks Ryan, I can confirm the --forwarded-allow-ips=* works correctly.

Ill do my best to find time this week to get a PR going. Ive found a few things which would definitely help new users.

from confidant.

Awesome. Thanks!

from confidant.