Omniauth OAuth redirect_uri_mismatch when https is used

[gitviola]

Infos:

• Used Zammad version: 1.2.0
• Operating system: Ubuntu 16.04

Expected behavior:

• use https in callback url for github oauth

Actual behavior:

• uses http in callback url for github oauth

Steps to reproduce the behavior:

• set http type to https
• logout
• authorise with github on login page

Known workaround

redirect http to https in nginx and use the http version of the url as callback url in the github oauth app setting

(related to #647)

[madd86]

It worked for me.

Remember that the callback url is actually set on github and not on Zammad.

Here:

[thorsteneckel]

Thanks @madd86 !

[gitviola]

@madd86 that's what I did. The other thing is just the workaround so that it works

[thorsteneckel]

Hi @schurig - ups. Hit the button to early 😁

I analyzed the behavior and can reproduce the issue you are having. Sadly it's out of the Zammad scope (done by Ominauth) so we can't provide a direct fix. Nevertheless we will analyze it further to find the best solution to get it to work.

How to reproduce:

• Have a https Zammad instance running with a reverse proxy e.g. NGINX
• Register a Github OAuth2 application in Github/Zammad
• Try to login in Zammad, get redirected to the Github page
• Notice that the redirect_url GET parameter is actually the Zammad url with http instead of https

Current state:
The redirect_url comes from here:
https://github.com/intridea/omniauth-github/blob/master/lib/omniauth/strategies/github.rb#L5
https://github.com/intridea/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L47
https://github.com/omniauth/omniauth/blob/8098855f6b52f5f1aecbd700e7068f204adddfdd/lib/omniauth/strategy.rb#L435
https://github.com/omniauth/omniauth/blob/8098855f6b52f5f1aecbd700e7068f204adddfdd/lib/omniauth/strategy.rb#L428
https://github.com/omniauth/omniauth/blob/8098855f6b52f5f1aecbd700e7068f204adddfdd/lib/omniauth/strategy.rb#L503

Seems some of those RACK ENVs are not set properly. Should be checked if we can influence this via the NGINX conf or if we have to do it somehow in the Rails context.

[thorsteneckel]

Hi @schurig - I think I got it! Are you running with an NGINX installation? If so please update your configuration and add these two lines:

        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port 443;

Like in the screenshot:

Restart your NGINX and Zammad and let me know. Apache should be these lines:

RequestHeader set Host zammad.example.com
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443

For the record: I dumped the rack.envs via an initializer overwriting the Omniauth ssl detection in a new rails initializer config/initializers/debug_ssl.rb:

Rails.application.config.to_prepare do              # to_prepare ensures that the monkey patching happens before the first request
  OmniAuth::Strategy.class_eval do                  # reopen the class
    protected

    def ssl?                                        # redefine the ssl? method
      # DEBUG/CUSTOMIZATION
      File.write('/tmp/omniauth.log', request.env.inspect)
      # DEBUG/CUSTOMIZATION

      request.env['HTTPS'] == 'on' ||
        request.env['HTTP_X_FORWARDED_SSL'] == 'on' ||
        request.env['HTTP_X_FORWARDED_SCHEME'] == 'https' ||
        (request.env['HTTP_X_FORWARDED_PROTO'] && request.env['HTTP_X_FORWARDED_PROTO'].split(',')[0] == 'https') ||
        request.env['rack.url_scheme'] == 'https'
    end
  end
end

And none of the checked vars were set.

[gitviola]

This was the problem! Thanks!! 😍 ❤️

[thorsteneckel]

Thanks for the feedback! Commit is on its way. 🚀 up to the next issue.

[salmagomaa]

Try this answer it worked with me
https://stackoverflow.com/a/41466634/1770571

[MrGeneration]

@salmagomaa this does not solve the problem and was a Bug within Zammad.
Please try not to recycle posts - the issue has been resolved already.