Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redirect_uri in redirects' targetUrl not returning https #436

Open
tacman opened this issue Feb 20, 2024 · 7 comments · May be fixed by #438
Open

redirect_uri in redirects' targetUrl not returning https #436

tacman opened this issue Feb 20, 2024 · 7 comments · May be fixed by #438

Comments

@tacman
Copy link
Contributor

tacman commented Feb 20, 2024

After too many hours of hacking, I discovered that the redirect that comes back is sometimes using http, not https.

Curiously, for me it's happening on production, but not locally.

Here's my solution, but surely there's a better way.

        $client = $this->clientRegistry->getClient($clientKey); // key used in config/packages/knpu_oauth2_client.yaml
        $redirect = $client->redirect($scopes[$clientKey] ?? [], ['state' => $client->getOAuth2Provider()->getState()]);
        // assert(str_starts_with('https://', $redirect->getTargetUrl());
        $redirect->setTargetUrl(str_replace('http%3A', 'https%3A', $redirect->getTargetUrl()));
        return $redirect;
@tacman tacman changed the title redirect not returning https redirect targetUrl not returning https Feb 20, 2024
@tacman tacman mentioned this issue Feb 20, 2024
Open
@bocharsky-bw
Copy link
Member

Hey @tacman , isn't the target URL is something that should be specified on the third-party provider side? I.e. in the GitHub/Facebook/Google app configuration? To me it sounds like you specify redirect URL with http instead of https that might be kind of OK if we're talking about debugging/development. Or could please link to the code where we force this http on our side?

@tacman
Copy link
Contributor Author

tacman commented Feb 21, 2024

I'll dig in some more to reproduce it. I'm just setting the path, but it looks like it should return https.

Question: What do you use to test logging in with google? I can't put https://oauth-demo.wip in as the redirect URL, so I probably need to set up some sort of proxy that redirects to my local machine.

@bocharsky-bw
Copy link
Member

Ngrok should help with forwarding a temporary real URL to your localhost app - that's good for debugging and development, but there're also many alternatives to ngrok over the internet.

@tacman
Copy link
Contributor Author

tacman commented Feb 25, 2024

Thanks. No matter what I do, I can't get login with Google to work.

Using ngrok, I get through authorizing my account, then when it redirects back, I get

Error fetching OAuth credentials: "redirect_uri_mismatch".

The ngrok logs

                                                                                                                                           
GET /auth/connect/controller/google 403 Forbidden                                                                                                                                             
GET /auth/social_login/google       200 OK                                                                                                                                                    
GET /auth/social_login/google       500 Internal Server Error

The PHP logs

[Application] Feb 25 16:53:29 |DEBUG  | APP    Notified event "Symfony\Component\Security\Http\Event\LoginFailureEvent" to listener "Symfony\Component\Security\Http\EventListener\RememberMeListener::clearCookie". event="Symfony\\Component\\Security\\Http\\Event\\LoginFailureEvent" listener="Symfony\\Component\\Security\\Http\\EventListener\\RememberMeListener::clearCookie"
[Application] Feb 25 16:53:29 |DEBUG  | SECURI The "Survos\AuthBundle\Security\Authenticator" authenticator set the response. Any later authenticator will not be called authenticator="Survos\\AuthBundle\\Security\\Authenticator"
[PHP        ] [Sun Feb 25 10:53:29 2024] 127.0.0.1:34590 [403]: GET /auth/connect/controller/google?state=d0223926fa02e06844a7ebdb4cc29556&code=4%2F0AeaYSHD_Bgaedg32IMV_wzsCtCmDHgn3GfPNhDH0_7ymuoNIxh-EOXik6AVCugeLWfwBeA&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent
[PHP        ] [Sun Feb 25 10:53:29 2024] 127.0.0.1:34590 Closing
[Web Server ] Feb 25 10:53:29 |WARN   | SERVER GET  (403) /auth/connect/controller/google?state=d0223926fa02e06844a7ebdb4cc29556&code=4%2F0AeaYSHD_Bgaedg32IMV_wzsCtCmDHgn3GfPNhDH0_7ymuoNIxh-EOXik6AVCugeLWfwBeA&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent ip="127.0.0.1"

image

Alas, I'm stuck and don't know how to debug this. It's not making it to "connect", as I have a dd() there, so it must be generating that error within a listener.

https://c388-187-244-120-218.ngrok-free.app/auth/connect/controller/google?state=d0223926fa02e06844a7ebdb4cc29556&code=4%2F0AeaYSHAxaiMhMiQqSTQSig2fMAcKC831jGmrMPd7s_M_7tgOecXKbN-VQHdn8Fg9AWUx8A&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=consent

                                Any suggestions?  Or even pointing me to a working github repo, I'll clone it and add my own keys just to get something to work.

Thanks.

@tacman
Copy link
Contributor Author

tacman commented Feb 25, 2024
edited

I think I've figured it out. Related to symfony/symfony#37980.

Once I added TRUSTED_PROXIES, not only did I get the debug toolbar but my redirect was correct and I logged in locally as expected!

@tacman tacman closed this as completed Feb 25, 2024
@tacman tacman reopened this Feb 27, 2024
@tacman
Copy link
Contributor Author

tacman commented Feb 27, 2024

After an embarrassingly long time investigating, the issue is somewhere in here, AbstractProvider.php

    public function createProvider($class, array $options, ?string $redirectUri = null, array $redirectParams = [], array $collaborators = [])
    {
        if (null !== $redirectUri) {
            $redirectUri = $this->generator
                ->generate($redirectUri, $redirectParams, UrlGeneratorInterface::ABSOLUTE_URL);

            $options['redirectUri'] = $redirectUri;
        }

The generator at this point is CompiledUrlGenerator, which generates http rather than https.

Any suggestions?

@tacman tacman changed the title redirect targetUrl not returning https redirect_uri in redirects' targetUrl not returning https Feb 27, 2024
@tacman
Copy link
Contributor Author

tacman commented Feb 27, 2024

My solution is to force https

    /**
     * Creates a provider of the given class.
     *
     * @param string $class
     */
    public function createProvider($class, array $options, ?string $redirectUri = null, array $redirectParams = [], array $collaborators = [])
    {
        if (null !== $redirectUri) {
            $redirectUri = $this->generator
                ->generate($redirectUri, $redirectParams, UrlGeneratorInterface::ABSOLUTE_URL);
            $redirectUri = str_replace('http:','https:', $redirectUri);

            $options['redirectUri'] = $redirectUri;
        }

        return new $class($options, $collaborators);
    }

There's likely a better way, but I don't know what it is.

@tacman tacman linked a pull request Feb 27, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

force https in redirectUrl tacman/oauth2-client-bundle
2 participants
@tacman @bocharsky-bw