redirect_uri protocol issue

[sugarfunk]

I am running into the same issue as #6 but not able to resolve with the same troubleshooting. No matter what I do oauth is using http and thus failing.

My Docker Compose

version: '3.9'
services:
grist-omnibus:
image: gristlabs/grist-omnibus:latest
container_name: grist
volumes:
- '/home/username/docker/grist/data:/persist'
environment:
- PASSWORD=redacted
- EMAIL=redacted
- TEAM=redacted
- 'URL=https://grist.redacted'
- 'HTTPS=external'
ports:
- '9999:80'

Loads fine, but after clicking login with email I get this.

and here is the related log/error

2023-12-02 21:58:03.479 - debug: Auth[GET]: grist.redacted.com / customHostSession=, method=GET, host=grist.redacted.com, path=/, org=redacted, email=anon@getgrist.com, userId=1, altSessionId=dcS1dKfetP9AjFutPaKBpS
2023-12-02 21:58:03.480 - debug: Authorizer: redirecting to sign up
time="2023-12-02T21:58:03Z" level=warning msg="You are using "secure" cookies for a request that was not received via https. You should either redirect to https or pass the "insecure-cookie" config option to permit cookies via http." handler=Auth host=grist.redacted.com method=GET proto=http rule=default source_ip=172.31.0.1 uri="/auth/login?next=%2F"
time="2023-12-02T21:58:05Z" level=error msg="Failed to parse authorization request: Unregistered redirect_uri ("http://grist.redacted.com/_oauth\")."

[dsagal]

I think the key difference is the value of the HTTPS variable. With auto or manual, traefik will terminate SSL, i.e. handle https connections. With external, it assumes something else (in front of traefik?) terminates SSL. But that part isn't addressed in #6 -- maybe some other step is needed (like telling traefik to respect X-Forwarded-Proto header)?

Could you share the details of what's handling HTTPS in your setup?

[sugarfunk]

@dsagal thanks for replying.

Yes, I already have Traefik on a different box handling traffic and certs. I also tried the forward proto.

So I connect https just fine with this setup. There is no issue until I click one of the three login options (Login with email,Google, Ms). That's when the http error pops up.

[dsagal]

And does you `URL` variable start with `https://` (not `http://`)?

…

On Sun, Dec 3, 2023 at 10:33 PM sugarfunk ***@***.***> wrote: @dsagal <https://github.com/dsagal> thanks for replying. Yes, I already have Traefik on a different box handling traffic and certs. I also tried the forward proto. So I connect https just fine with this setup. There is no issue until I click one of the three login options (Login with email,Google, Ms). That's when the http error pops up. — Reply to this email directly, view it on GitHub <#12 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIKMR7ZAHGEMKS2PKUWEQDYHVABVAVCNFSM6AAAAABAEJCZTSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZXG44DKMRVGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[sugarfunk]

URL variable starts with https. Switching to http results in a white screen and logs reporting errors that http is not supported.

…

On Sun, Dec 3, 2023 at 10:38 PM, Dmitry ***@***.***(mailto:On Sun, Dec 3, 2023 at 10:38 PM, Dmitry <<a href=)> wrote: And does you `URL` variable start with `https://` (not `http://`)? On Sun, Dec 3, 2023 at 10:33 PM sugarfunk ***@***.***> wrote: > @dsagal <https://github.com/dsagal> thanks for replying. > > Yes, I already have Traefik on a different box handling traffic and certs. > I also tried the forward proto. > > So I connect https just fine with this setup. There is no issue until I > click one of the three login options (Login with email,Google, Ms). That's > when the http error pops up. > > — > Reply to this email directly, view it on GitHub > <#12 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAIKMR7ZAHGEMKS2PKUWEQDYHVABVAVCNFSM6AAAAABAEJCZTSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZXG44DKMRVGY> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> > — Reply to this email directly, [view it on GitHub](#12 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAKMQKSHPD7QA722YSK2B63YHVAUXAVCNFSM6AAAAABAEJCZTSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZXG44DQNZSGY). You are receiving this because you authored the thread.Message ID: ***@***.***>

[magixus]

I'm having this issue as well, and I have same setup as #6 except HTTPS=external because am running nginx and letsencrypt in host. setting https as auto also result in same issue.

and if you try to change redirect_uri you'll have the following error:

time="2023-12-22T17:44:49Z" level=error msg="Code exchange failed with provider" error="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_request\",\"error_description\":\"redirect_uri did not match URI from initial request.\"}" handler=AuthCallback host=domain.ltd method=GET proto=http rule=default source_ip=x.x.x.x uri="/_oauth?code=iqvpghcrhic3etzdemsh5dvyz&state=2837200e1ebb3488c6ca01f43bd999c4%3Aoidc%3Ahttps%3A%2F%2Fdomain.ltd%2Fauth%2Flogin"

[nasmi3]

Hi,
I have a fresh install of Grist omnibus and also get the same issue. As @magixus explained, changing the uri manually in the url does not solve the problem.
The problem happens with both the HTTPS env variable on external and auto.

[dsagal]

I found the issue, and have PR #13 that addresses it. You can give it a shot as follows:

• Check out the version with the PR.
• Run docker build -t gristlabs/grist-omnibus:latest ..
• Add an extra environment variable TRUSTED_PROXY_IPS (look for description in https://github.com/gristlabs/grist-omnibus#grist-omnibus)
• Run grist-omnibus again.

I'd appreciate your feedback on whether it is indeed sufficient for your setup.

[dsagal]

The latest docker image includes the fix. The README includes these updated instructions for when running behind another reverse proxy:

If you run the omnibus behind a separate reverse proxy that terminates SSL, then you should set HTTPS=external, and set an additional environment variable TRUSTED_PROXY_IPS to the IP address or IP range of the proxy. This may be a comma-separated list, e.g. 127.0.0.1/32,192.168.1.7. See Traefik's forwarded headers.

[ibarot1981]

Hi,

I have npm on a seperate host where I am terminating SSL.

My env variables:
URL = https://grist.domain.tld
HTTPS = external
TRUSTED_PROXY_IPS = <ip_of_npm>

When i start the container, I get the following error in the logs :

<>
info [grist-omnibus] Checking dex... at https://grist..tld/dex/.well-known/openid-configuration
debug [grist-omnibus] not ready: FetchError: maximum redirect reached at: https://grist..tld/dex/.well-known/openid-configuration
<>

when accessing the app through browser, I get ERR_TOO_MANY_REDIRECTS.

I am not sure if I have messed up something in npm or its something to do with grist.

Thanks in advance.

[dsagal]

@ibarot1981 , what the container is doing is checking that the services it's running (such as Dex) are actually accessible at the URL you configured. It should be making a fetch to the exact URL you specified. Sometimes it's tricky to ensure that the public URL you configured is also accessible from inside the container.

[ibarot1981]

@ibarot1981 , what the container is doing is checking that the services it's running (such as Dex) are actually accessible at the URL you configured. It should be making a fetch to the exact URL you specified. Sometimes it's tricky to ensure that the public URL you configured is also accessible from inside the container.

Hi, thanks for your reply.

I am not sure how to proceed here. Before I stumbled along this issue here, I followed the docker compose guide here
[https://github.com/gristlabs/grist-omnibus]

Since I am terminating SSL at NPM on a seperate host, earlier I gave the following env values :
URL : http://grist.domain.tld --- (Note : No HTTPS)
No other variables like HTTPS or TRUSTED_PROXY_IPS entered.

I could get the login page and also login with the EMAIL and PASSWORD variables as provided but immediately after login I got an error on the browser.

at this point, nothing worked and it got stuck at this page.

On searching I found this thread and so I added HTTPS=external and TRUSTED_PROXY_IPS= my internal IP for NPM
But now I get the fetch maximum redirect error.

Is there anything more I need to do apart from adding the above two variables and changing URL from http to https?

Thank you.

[dsagal]

Hmm, I attempted to test, and I am getting the "418 I am a teapot" response code for everything, which is stumping me. I'll have to come back later to figure out what's wrong with my setup (it's not a clean slate). Also, there have been a few changes recently, and it's possible something broke again for HTTPS=external :(

As far as things to check:

1. The URL should in fact include https:// if using external SSL termination.
2. The hostname in URL must resolve to the correct IP address from the grist-omnibus container.
3. This IP address should be accessible.
4. The certificate should be valid (not self-signed, for example)
5. The reverse proxy (the piece that's receiving /https requests and forwarding them to grist-omnibus) needs forward websocket requests as well. That wouldn't affect Dex or the initial login and page load, but comes into play when trying to open a document.

[allquixotic]

I am also getting the "too many redirects" / "FetchError:maximum redirect reached" error with grist checking for dex. Seems like a traefik redirect loop inside the container. I have:

• nginx and letsencrypt as a reverse proxy

docker run -p 127.0.0.1:4321:80 -e TRUSTED_PROXY_IPS=<my_public_ip>/32,127.0.0.1/32 -e URL=https://<my_site.com> -e TEAM=foo -e EMAIL='something@somewhere.com' -e HTTPS=external -e insecure-cookie=true -e INSECURE_COOKIE=true -v /home/user/grist/dex.yaml:/custom/dex.yaml -v /home/user/grist/persist:/persist -i --rm --name grist grist-omnibus:latest and I built the image locally with docker build -t grist-omnibus:latest . after cloning the main branch of this repo.

If I just run gristlabs/grist-omnibus:latest, I get grist version 1.1.1, which is ancient and doesn't support forms :( but it starts successfully. I had to build the image locally to get up to grist 1.1.10. Not sure why it doesn't pull 1.1.11...

Also in my logs I see: Feb 05 12:26:35 dcprod run.sh[10065]: 2024-02-05 17:26:35.329 - warn: Failed to create GoogleAuth endpoint: GOOGLE_CLIENT_SECRET is not defined

yet in my dex.yaml I have

 - type: google
   id: google
   name: Google
   config:
     issuer: https://accounts.google.com
     clientID: a real value
     clientSecret: a real value 
     redirectURI: '{{ getenv "APP_HOME_URL" }}/dex/callback'
     insecureSkipEmailVerified: true
     scopes:
     - openid
     - email
     - profile

[allquixotic]

I narrowed down my issue (the redirect loop) to HTTPS=external. I added another dedicated IP address to my box (so it doesn't conflict with nginx), changed the config to use it, remapped the ports, and everything starts up and works with HTTPS=auto. So yeah, HTTPS=external is broken.

[TOMDM]

external seeming to be broken is now a blocker for me.
Has anyone found a fix?