Unable to authorize draw.io in gitlab

[B0rner]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• [ x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Describe the bug
I'm unable to authorize self hosted gitlab connection between draw.io container and gitlab.

To Reproduce
Steps to reproduce the behavior:

1. Adding the following parameter to the draw.io container configuration (docker-compose-file):
   ports:
   - 8081:8080
   - 8444:8443
   environment:
   - DRAWIO_BASE_URL=http://my-drawio-host:8081
   - DRAWIO_GITLAB_ID=abc..
   - DRAWIO_GITLAB_SECRET=def...
   - DRAWIO_GITLAB_URL=https://gitlab-host
   - DRAWIO_CSP_HEADER=default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://gitlab-host; img-src * data:; media-src * data:; font-src * about:; style-src 'self' 'unsafe-inline';
2. Logging in to gitlab and adding an new application, like explained here: Add private gitlab storage #493 (comment) and adding the gitlab-id and gitlab-secret to the docker-compose file from "1."
3. starting the draw.io container & open draw.io page (http://my-drawio-host:8081) with browser (current firefox @ Ubuntu) -> gitlab popup: (click) "Create new Diagram" -> selsect an diagram template and click "create"
4. "Authorize this app in GitLab" - popup. Click to "Autorisize" button, which opend this URL:
   https://gitlab-host/oauth/authorize?client_id=a123&scope=api%20read_repository%20write_repository&redirect_uri=http%3A%2F%2Fmy-drawio-host%3A8081%2Fgitlab&response_type=code&state=cId%3Da123%26domain%3Dmy-drawio-host%26token%3Dbcd123 and gitlab returns the error: "The redirect URI included is not valid."

This is correct, because redirect-URL in the link is https://my-drawio-host:8081/gitlab. But the redirect-url in the Git-Appliaction config is https://my-drawio-host:8081/gitlab.html, es explained here: #493 (comment)

5. If I change the redirect-URI in the brwoser in step 4 from https://my-drawio-host:8081/gitlab to https://my-drawio-host:8081/gitlab.html I get the gitlab dialog "Authorize drawio to use your account? ". If I click "Autorize" the gitlab tab closes an the draw.io tab show an "error"-pupop: "Access Denied" with the option to Try again" or to cancel.

5a. Alternative Way to 5: I change the redirect-URL in the gitlab Appliation Setting to https://my-drawio-host:8081/gitlab. And runnig step 3 &4 without error, but the draw.io page ends in an blank page.

Expected behavior

1. Step 4.) should not return the "The redirect URI included is not valid." - error.
2. Step 5 or 5a should end with an draw.io authorized in gitlab.

draw.io version (In the Help->About menu of the draw.io editor):

• draw.io version 15.2.7

Desktop (please complete the following information):

• OS: Ubuntu 20.04
• Browser firefox
• Version 92

Additional context
Running jgraph/drawio:latest docker image on ubuntu 20.04.03

[tafkos]

In any case you have missed a solution from search... :) шт the and of thread #492 there are 2 mentioned issues: yours #2348 and mine #2192

The root cause is described here #2192 (comment)

This is correct link for redirect-URL(.html is omitted ): https://my-drawio-host:8081/gitlab

This solution helps me:

Import self-signed certificate of self-hosted Gitlab instance to self-hosted Drawio container:

inside Drawio container:

export SSL_URL=gitlab-host
openssl s_client -connect $SSL_URL:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/local/share/ca-certificates/$SSL_URL.crt
update-ca-certificates

Then restart drawio container.

[B0rner]

@tafkos Thank you for your solution, but it does not work in my case. I did the steps you do. I also additional added all the certificates needed into the tomcat keystore (which was postet as solution someware else). I added all the certificates from the whole certification path, which is working on different applications.
But I get the following error:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I'm not sore, where this error comes from. For me it looks like, the draw.io can not validate the gitlab certification path, but
curl https://gitlabhost works by the way without certificate problem...

[tafkos]

@B0rner Have you restarted drawio container after imported local gitlab certificate ?

[B0rner]

@tafkos Yes, I did. I restarted the draw.io docker container after importing the certificates. The error messages is different, but I'm not sure if this is really based on the imported certificates.

After i clicked autorisized in gitlab during the authorization process, gitlab returned back to the draw.io host, which returned an HTTP Error 500. (but URL, protocol and port are correct).

The errormessage is now:
"The provided authorization is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to an other client."
The gitlab authorization was not changed and expired never.