Not refreshing after social login due to http vs https


(Kloknibor) #1

Hi !

I’ve set up a dicourse forum at https://forum.photonic3d.com it works fine but when I login with github/facebook or any other way I’ll get the message “Authentication is complete. Close this window to continue.”

when you close this window nothing is happening. and I can go through the forum without being logged in but as soon as I refresh the page I’m logged in. I couldn’t seem to find this issue anywhere else, does somebody know how to fix this?

Thanks in advance!

Robin


Mobile Firefox / in-app Safari social login flow: "Close this window to continue"
(Jeff Atwood) #2

Can you repro that here or on try.discourse.org?


(Kloknibor) #3

No here it works totally fine, but I didn’t mess with the discourse install so I’m not sure what happens, you can repro it on https://forum.photonic3d.com just login with github or facebook/twitter :wink:

Robin


(Erlend Sogge Heggen) #4

Are you hosted on digital ocean?


(Kloknibor) #5

No I’m not hosted at digital ocean :wink:


(Erlend Sogge Heggen) #6

Please tell us more about that then. Which provider are you hosted with? Did the steps of our install guide apply perfectly to your setup or did you have to make some adjustments?

Since we can’t repro this on our own sites nor on Digital Ocean installs, it stands to reason that the issue is unique to however you’ve got things set up on your end, so we need to know more about that in order to be of any help.


(Kloknibor) #7

Hi Erlend,

I’ve bought an Cloud VPS with a dutch provider, I installed an debian OS along with Dockers and Directadmin on it.

Discourse has been installed inside a docker and with an adjustment in our httpd config we pointed to right port where our discourse lives so that we still got port 80 free for apache and hosting our websites.

All other functions work correctly and only adjustment i made is that I added an header with some CSS from within the costumization functions ;)!

Robin


(Erlend Sogge Heggen) #8

Okay, thanks for the info. That’s a fairly non-standard setup you’ve got there though, so unless someone on Meta happens to have run into this issue before there’s not much else we can do I’m afraid.


(Neil Lalonde) #9

The error is in the console:

Uncaught SecurityError: Blocked a frame with origin "http://forum.photonic3d.com" from accessing a frame with origin "https://forum.photonic3d.com". 

Your Discourse site is https, but your apps (facebook, twitter, github) are pointing to http. Browsers consider that a security problem.


(Kloknibor) #10

@neil your right! I see that too now sorry :blush: what is the best way to fix this?


(Matt Palmer) #11

Change the config in the auth apps you’re using to point to the HTTPS URL.


(Kloknibor) #12

If I do this it will give me a new error “Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?”

how to solve that?


(AstonJ) #13

I’m getting the same issue - I have changed the callback URL in dev.twitter to https://elixirforum.com/auth/twitter/callback but still the same - having to close the window then manually refresh the page.

Any ideas? I haven’t changed anything in the forums admin cp yet - do I need to?


(Jeff Wong) #14

From a quick check in the console, it seems like your callback is still http://elixirforum.com/auth/twitter/callback somewhere.

I’ve never used twitter oauth, but maybe it worth be worth attempting to regenerate and update oauth client ID credentials with the https callback?


(AstonJ) #15

I don’t think Twitter is at fault, because when I check Enable Callback Locking (It is recommended to enable callback locking to ensure apps cannot overwrite the callback url) it goes to https://elixirforum.com/auth/twitter (with https).

I’m guessing Discourse is sending it to http, perhaps I need to install the SSL template or something (currently everything is being handled by HAProxy). Even checking use https in the ACP does nothing :confused:

Edit: I have set up the HTTPS redirect on HAProxy for the domain and now it appears to be working. But maybe the callback URL should go to HTTPS when the use https option is selected.

I think I will also post a thread asking whether it’s ok not to use the SSL template in this way…


(Jeff Wong) #16

Ah, then it’s most likely something in your HAProxy setup. Perhaps look at how your config is handling X-Forwarded-Proto header?


(Felix Freiberger) #17

I 100% agree. This also relates to my howto for an offline page:


(AstonJ) #18

Thanks both - I ending up adding the https redirect in HAProxy and that seems to have fixed it.

Agree with Felix that the callback URL should reflect the HTTPS setting in the acp…


(Batmunkh Moltov) #19

adding
proxy_set_header X-Forwarded-Proto $scheme;
works for my nginx web proxy.
Thanks :slight_smile: