Google auth error

Kostya_Vasilyev · October 7, 2020, 8:42am

Hello,

I’m new to Discourse. Recently created a forum and now in the process of moving the site and the forum to a new domain name.

The forum’s old domain: https://forum.skymail.app (not active, redirects to new site)

New domain: https://forum.sugarmail.app (operational)

Having trouble with Google auth. I’ve got a Google Cloud project, and after switching to the new domain, I also changed the redirect url under Client ID there, so currently it’s set to

https://forum.sugarmail.app/auth/google_oauth2/callback

Now the issue. When trying to “sign up with Google”, I get this error in Discourse:

https://forum.sugarmail.app/auth/failure?message=csrf_detected Authorization timed out, or you have switched browsers. Please try again.

When the forum was under the old domain, forum.skymail.app, Google auth worked without issue.

I did do ./launcher rebuild app after changing the domain, making sure to update the domain in app.yaml under DISCOURSE_HOSTNAME (in fact the forum wouldn’t load at all until I did that).

Any pointers please?

david · October 7, 2020, 9:40am

Normally, when you start the login flow, the _forum_session cookie is set in your browser. However, on your site, that doesn’t seem to be happening.

Do you have any plugins or proxies which could be intefering with the cookies on your site?

Kostya_Vasilyev · October 7, 2020, 11:06am

Thank you for the response.

Plugins - no, not using any. About the only thing I did after installation was to enable Google auth (client id and secret) and enabling “always use https”.

Proxies - I’m using nginx as a reverse proxy (which also serves the main app site).

    # discourse
    location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass_request_headers on;
            proxy_pass http://localhost:10080;
    }

and in containers/app.yaml

expose:
  - "10080:80"   # http
  - "10443:443" # https

Let’s Encrypt in Discourse settings is not enabled. So the nginx inside the container is serving plain http, and the outside nginx add ssl termination.

These is almost same setup I had with the old domain, the only difference is “force https”.

I’m running 2.6.0.beta3.

Kostya_Vasilyev · October 7, 2020, 11:08am

Oh darn, it’s “force https” which I previously had off.

I enabled it recently, to avoid getting the warning in Chrome about “insecure page content” which was happening because of plain http links to images.

To reiterate, I do ssl termination in the “outside” nginx, and as far as Discouse itself goes, there is no ssl.

Turning off “force https” makes Google auth work again (I had to add a plain http redirect URL in the Google Cloud project).

But that’s not good because there will be “insecure site” / mixed content warnings as soon as there are images.

Is there a way to keep Google auth working with “force https” and ssl termination outside of Discourse?

( I’d use Discourse’s own ssl support except it assumes that it “owns” the domain, so I’d need to set up an additional IP address for this VPS and separate the main site and the forum… which is a bit of a chore… )

riking · October 7, 2020, 1:05pm

Make sure you’re sending along X-Forwarded-Proto: https.

Kostya_Vasilyev · October 7, 2020, 1:03pm

Thank you @riking I’ve now copied the nginx block from your link verbatim, then then enabled “force https” as recommended by Discourse admin console.

My forum is back up and running now and Google auth is working.

An issue still persists, though:

Both Chrome and Firefox are giving me warnings about insecure page content.

Looking at network trace in Chrome dev tools, it’s this link (plain http, not https):

Kostya_Vasilyev · October 7, 2020, 1:07pm

Ah, never mind. I just set a new, custom favicon and it’s now fetched using https. No mo “mixed content” warnings.

Beautiful, thanks for your help!

system · November 6, 2020, 1:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.