OpenID Connect Login navigating to 404 (Wrong endpoint) #5888
Comments
|
So I was able to duplicate it while debugging, and followed it to https://github.com/go-gitea/gitea/blob/master/modules/auth/oauth2/oauth2.go#L83 where it passed the correct URL into the http.Redirect function. At that point, I was unable to follow it anymore, but the resulting response had the location header with the incorrect URL. So I suspect something within GO's HTTP.Request() is altering the URL. |
|
Could you try a |
|
Sorry, you meant the entry link for the OAuth. Here are the results: Looks like it's not the browser. |
|
Here is the same command, ran from the same terminal, but pointing at localhost. |
|
Ok. So you say it definitely passed the correct URL into http.Redirect? (You've definitely got it logged to Stdout?) Another thing to check is that the response isn't proxied in some way so that it's not being wrapped. Presumably, you're sitting Gitea behind a proxy is there any way it's munging the URL? I don't know if it's possible to stick some logging in there? |
|
Sorry just saw your reply. Are you running that localhost command on your git.teknik.io box? Presuming you're running Gitea behind a proxy it would be helpful to see what comes out from Gitea before it gets to the proxy. |
|
Yea, i'm positive it's passing the correct URL into http.Redirect()
And yea, i'm running that localhost command on the git.teknik.io box (as well as the original one). Gitea is running being IIS which is doing a URL rewrite to inbound requests.
Maybe it's something IIS is doing? |
|
I think at this point blaming Microsoft is reasonable. I have never configured IIS - so I think we're at the limit of my usefulness. I bet it's something to do with it doing a reverse DNS lookup and then rewriting the host. You probably need to specifically allow Gitea to redirect to auth and turn off rewrites to those URLs. Reply with your fix though because it may be helpful for others and we consider adding something to the docs but I think I'll mark this issue invalid as the problem is not in Gitea. |
|
I agree. I'll dig into the rewrite rules and see what I can come up with. |
|
Well that was faster than I thought. After looking at the Failed Request logs to see exactly what it did, it turns out the Application Request Routing was changing the Location Header on it's way out. So I went into the configuration for the ARR, and lo and behold, there is a setting called 'Reverse rewrite host in response headers'. Switching that off allowed the URL to come through unaltered. |
|
Lol. Ok, I guess a troubleshooting docs addition might be helpful? If you could either put the change in here or make a PR we can get it in? |
|
I'll write something up and make a PR |
|
Cool. Ok I'll close this issue. |
[x]):Nothing interesting in the logs
Description
After setting up an OpenID Connect authentication source, and clicking the 'Sign In with OpenID Connect' button, the page then goes to a 404 page, with the url being what seems to be the authorize endpoint, but appended to the current domain.
My thoughts is that since my openId provider has the same domain but different subdomain as my hosted gitea instance, that gitea is just taking the endpoint and appending it to it's current url.
URL for login button: https://git.teknik.io/user/oauth2/TeknikIdentity
URL after clicking login: https://git.teknik.io/connect/authorize?client_id=&redirect_uri=https%3A%2F%2Fgit.teknik.io%2Fuser%2Foauth2%2FTeknikIdentity%2Fcallback&response_type=code&scope=openid&state=<state_guid>
Here's my current config: https://p.teknik.io/gKeh8
I did try to set it up via a locally ran Gitea instance, and it worked just fine.
Screenshots
The text was updated successfully, but these errors were encountered: