Use SSL OAuth Redirect URLs


#1

Hello,

I have activated the templates

  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"

The Docker container itself does not use SSL, but it is only bound to localhost and Apache proxies SSL request to it.

I have also enabled Facebook and Google auth. In FB auth you have to give valid OAuth redirect URLs. Can I change Discourse to give the https redirect URL to Facebook and Google? I had to enter http://forum.domain/auth/facebook/callback everywhere, instead of https.

I have seen just only place where it gives the protocol in the settings: “contact url”, which is already set to https.

Thx!


(Matt Palmer) #2

Discourse doesn’t give redirect URLs to external auth providers, you configure that in the auth provider. Why did you “have” to enter HTTPs URLs everywhere, why didn’t the HTTPS ones work?


#3

When I set only the https URL in Facebooks “Valid OAuth redirect URLs”, logout from Discourse and try to login using Facebook Login, there opens a popup window with an error message:

URL blockiert: Diese Weiterleitung ist fehlgeschlagen, da die URI zur Weiterleitung in den Client oAuth-Einstellungen der App nicht auf die Whitelist gesetzt wurde. Stelle sicher, dass Client- und Web OAuth-Login aktiviert sind und füge alle deine App-Domäns als gültige OAuth-Weiterleitungs-URIs hinzu.

which basically means, that the redirect URL is not on the whitelist. Please ensure that all app-domains are added as valid oauth redirect urls.

The URL of the popup is:

https://www.facebook.com/v2.6/dialog/oauth?client_id=1338967036188361&display=popup&redirect_uri=http%3A%2F%2Fforum.csc-stuttgart.org%2Fauth%2Ffacebook%2Fcallback&response_type=code&scope=email&state=12a9933d521ef20514b402fb6e4b8c2b90822be62d1b9a4c

I thought that the redirect_uri parameter (which is only http) comes from Discourse.

Thx.


(Joshua Rosenfeld) #4

Have you followed the #howto for configuring Facebook login?


#5

Yes, I indeed followed the howto and it works - as long as I use http. But my forum is reachable from both http and https. http request are immediately redirected to https. I would prefer to use https for oauth redirect url right from the begin.


(Joshua Rosenfeld) #6

Is there a reason for this? I know in the past there have been issues reported with external communication being confused about both HTTP and HTTPS.


#7

I expressed it a bit misleading.

From a docker/discourse perspective there is only http. I only expose “127.0.0.1:2080:80” .

Apache does the SSL stuff. On VirtualHost *:80 (non-SSL) it redirects to the SSL port

Redirect permanent / https://forum.csc-stuttgart.org/

And on the SSL port it proxies the traffic to localhost:2080

   ProxyPass        "/" "http://localhost:2080/"
   ProxyPassReverse "/" "http://localhost:2080/"

Does this explain the non-SSL redirect URLs?

Best Thanks!


(Blake Erickson) #8

Most likely. Just the other day I setup Facebook login on a self hosted SSL only install and it worked without any issues.


(Matt Palmer) #9

Yes, if Discourse doesn’t know that it’s a HTTPS site, it’s pretty loathe to generate HTTPS URLs. You might have better luck if you pass the X-Forwarded-Proto header through to Discourse from Apache, indicating when the connection was actually HTTPS.