-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mattermost generates wrong redirect uri for SSO authentication #3944
Comments
Hi @jdoubleu - thanks for filing something on this, I've created a Jira ticket for someone to go look at it. If it's something you're interested in submitting a fix for, feel free to sign up for our daily builds server and join the Developer channel to discuss it. |
Closing this issue + will track in Jira |
Similar to issue we are seeing in combo gitlab and mattermost last released version. In our case it is behind nginx but the weird part is not an invalid redirect urine (which we also see with often products often as configuration issue) but that the client browser performs a request back to the Web server and the Web server never delivers and times out after 2 minutes. The redirect is not returning to something correctly. I will try disabling sso as a work around. |
Great analysis by the way |
BTW, this possible solution did not work for me "One simple fix might be to set the page url of Mattermost in its settings." Meaning (if @jdoubleu analysis is correct) that there is some more problems inside context.go as siteurl defined in cfg is not being used here. |
I've tried to replicate this problem and haven't been able to do so yet. I have one question about this remark:
If
If GitLab says, "The redirect URI included is not valid", that usually means the Are you sure the Mattermost OAuth2 client ID and secret match the values provided by GitLab? |
@stanhu To whom is the question "Are you sure the mattermost...GitLab" directed? |
Okay I rechecked all my settings and the problem still exists. Here's my setup: I'm currently using GitLab Both GitLab and Mattermost are running behind a reverse proxy which communicates via HTTP with them but over HTTPS with be client.
(Note the I've left the
On the side of Mattermost I setup the following options under
Behaviour
which results in GitLab throwing
I guess this happens because the I came to the result, as described in the issue, that the Mattermost API which inits a redirect to GitLab doesn't build the correct uri - more specific the protocol is wrong. Providing the correct URL to Mattermost (using HTTPS) in To answer @stanhu 's question: The client_id seems to be correct but the
Totally correct! |
Okay I found the problem! I've setup Mattermost inside docker containers. Therefore I used the Mattermost is working correct and the functions mentioned in the issue are doing a good job but the docker containers doesn't. I'm creating an issue over there but here's a short explanation: I just dropped this little proxy but I'll also create a PR for a workaround. |
@jdoubleu Thanks for figuring this out! I had a feeling it had to do with confusion over the I wonder if GitLab omnibus should write out |
Maybe it's a bit late but the bug still exists.
There was a long issue about a bug where singing-in into Mattermost through GitLab doesn't work if Mattermost is behind a reverse proxy and this proxy communicates with HTTP with Mattermost while the user is facing the page with HTTPS (because the proxy support SSL). You can read it here.
First of all:
Summary
Singin-in/Authenticating via SSO with GitLab won't work because the generated URI contains the wrong protocol if Mattermost ist behind a proxy, communicating with HTTP, and the page URL isn't set in Mattermost's settings.
Steps to reproduce
Expected behavior
After clicking the SSO button on Mattermost, it will redirect me to GitLab where I have to login-in and authorize the Application to use my account data. After authorizing GitLab should redirect me to Mattermost where I'm logged in now.
Observed behavior
After clicking the SSO button GitLab will fail (with the error message:
The redirect URI included is not valid.
) due to the fact, that theredirect_uri
query param doesn't match the providedclient_id
.Possible fixes
One simple fix might be to set the page url of Mattermost in its settings.
I've inspected the code and I wanted to share my results here.
Clicking the GitLab button on the log-in page of Mattermost will redirect me to
/api/v3/oauth/gitlab/login
, this API call with initiate a 302 redirect to GitLabhttps://gitlab.example.com/oauth/authorize?response_type=code&client_id=_64_length_string&redirect_uri=http%3A%2F%2Fmattermost.example.com%2Fsignup%2Fgitlab%2Fcomplete&state=_another_long_string
.This redirect is managed inside the
api/oauth.go
file, where on line 727 the link is generated.The function
GetSiteUrl
inapi/context.go
, line 462 gets called which only returns the actual site url.The current site url is set in the
ServeHTTP
function in thecontext.go
file, on line 145 this will set the url set by the user, if it exists, or, if not, generate it with the protocol and host.To get the protocol, this function calls the
GetProtocol
function incontext.go
on line 267.Although this function tries to get the
X-Forwarded-Proto
(client header call on line 268, using theHEADER_FORWARDED_PROTO
constant) it get's the wrong protocol.My proxy serves the
X-Forwarded-Proto
header correctly to Mattermost.I didn't test what went wrong in the
GetProtocol
function.Also one thing I want to point out is that there is a newer standardized form of the
Forwared
headers (see RFC 7239) which should be recognized.EDIT
Fixed links pointing to
v3.3.0
tag now instead ofmatser
branch where some code changes appeared.The text was updated successfully, but these errors were encountered: