OAuth 2.0 authorisation response is missing or does not match `redirect_uri`

[pstutzinger]

Hi,

i'm trying to setup the proxy on an Azure VM. I've tried using CentOS 7.9 and currently Ubuntu 20.04.

But everytime it's ending with this error:
Authorisation result error for - aborting login. OAuth 2.0 authorisation response is missing or does not match redirect_uri

this is my configuration:

I'm using python3 (3.8.10)
Since this is a cloud server without GUI, I'm using the local auth server option. Azure does not set the public IP address on the VM, but set an internal IP on the interface. Therefor i'm using the redirect listening address option.
Also, the Azure AD Enterprise Applications require the Redirect UI to be HTTPS, so i'm proxying https to http via nginx on the server.

this is my configuration for the proxy:

[IMAP-1993]
local_address = 10.2.0.14
server_address = outlook.office365.com
server_port = 993

permission_url = https://login.microsoftonline.com/<tenant-id-redacted>/oauth2/v2.0/authorize
token_url = https://login.microsoftonline.com/<tenant-id-redacted>/oauth2/v2.0/token
oauth2_scope = https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send
redirect_uri = https://public-azure-vm-fqdn:8443/oauth
redirect_listen_address = http://10.2.0.14:8080
client_id = <client-id-redacted>
client_secret = <client-secret-redacted>

the azure ad enterprise application / app registration has the following configuration:

redirect uri: https://public-azure-vm-fqdn:8443/oauth
delegated permissions for MS Graph: IMAP.AccessAsUser.All, offline_access, POP.AccessAsUser.All, SMTP.Send, User.Read
secret: <client-secret-redacted>
tenant: multi-tenant (any organization)
Allow public client flows: true

when im trying to authenticate this happens:

2022-11-28 09:02:55: Initialising Email OAuth 2.0 Proxy from config file /root/email-oauth2-proxy/emailproxy.config
2022-11-28 09:02:55: Starting IMAP server at 10.2.0.14:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2022-11-28 09:02:55: Starting POP server at 10.2.0.14:1995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS)
2022-11-28 09:02:55: Starting SMTP server at 10.2.0.14:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2022-11-28 09:02:55: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2022-11-28 09:03:01: New incoming connection to IMAP server at 10.2.0.14:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2022-11-28 09:03:01: Accepting new connection to IMAP server at 10.2.0.14:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS) via ('<public-client-ip-redacted>', 54970)
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) --> [ Client connected ]
2022-11-28 09:03:01: IMAP (10.2.0.14:1993;<public-client-ip-redacted>:54970->outlook.office365.com:993) <-> [ Starting TLS handshake ]
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) <-> [ TLS handshake complete ]
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUABSADAAMwBDAEEAMAAwADIAOAAuAGUAdQByAHAAcgBkADAAMwAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; 93.229.197.194:54970->outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [QQBNADAAUABSADAAMwBDAEEAMAAwADIAOAAuAGUAdQByAHAAcgBkADAAMwAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) --> b'68 capability\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993)     --> b'68 capability\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993)     <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) <-- b'* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993)     <-- b'68 OK CAPABILITY completed.\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) <-- b'68 OK CAPABILITY completed.\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) --> b'69 authenticate PLAIN\r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) <-- b'+ \r\n'
2022-11-28 09:03:01: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) --> b'[[ Credentials removed from proxy log ]]'
2022-11-28 09:03:02: Authorisation request received for <client-email-address-redacted> (local server auth mode)
2022-11-28 09:03:02: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account <client-email-address-redacted>
2022-11-28 09:03:02: Local server auth mode (10.2.0.14:8080): starting server to listen for authentication response
2022-11-28 09:03:02: Please visit the following URL to authenticate account <client-email-address-redacted>: https://login.microsoftonline.com/<tenant-id-redacted>/oauth2/v2.0/authorize?client_id=<client-id-redacted>&redirect_uri=https%3A%2F%2F<public-azure-vm-fqdn>%3A8443%2Foauth&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FPOP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FSMTP.Send&response_type=code&access_type=offline&login_hint=<client-email-address-redacted>
2022-11-28 09:03:08: Local server auth mode (10.2.0.14:8080): received authentication response GET /oauth?code=<code-payload-redacted>&session_state=437afde4-a618-4084-8b57-a0185851b504 HTTP/1.0 200 373
2022-11-28 09:03:08: Local server auth mode (10.2.0.14:8080): closing local server and returning response http://public-azure-vm-fqdn/oauth?code=<code-payload-redacted>&session_state=437afde4-a618-4084-8b57-a0185851b504
2022-11-28 09:03:08: Authorisation result error for <client-email-address-redacted> - aborting login. OAuth 2.0 authorisation response is missing or does not match `redirect_uri`
2022-11-28 09:03:08: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) <-- b'69 NO AUTHENTICATE Email OAuth 2.0 Proxy: Login failed for account <client-email-address-redacted>: OAuth 2.0 authorisation response is missing or does not match `redirect_uri`\r\n'
2022-11-28 09:03:08: IMAP (10.2.0.14:1993; <public-client-ip-redacted>:54970->outlook.office365.com:993) <-- b'* BYE Autologout; authentication failed\r\n'
Authorisation result error for <client-email-address-redacted>- aborting login. OAuth 2.0 authorisation response is missing or does not match `redirect_uri`

what can i do to get this working?

[marcoideait]

Hello,
similar problem here:

oauth2 proxy display link for login

[root@confindustriachpe email-oauth2-proxy]# python3 emailproxy.py --no-gui --local-server-auth --debug
emailproxy.py:50: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
  from cryptography.fernet import Fernet, InvalidToken
2022-11-28 12:42:37: Initialising Email OAuth 2.0 Proxy from config file /opt/email-oauth2-proxy/emailproxy.config
2022-11-28 12:42:37: Starting IMAP server at 192.168.250.20:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2022-11-28 12:42:37: Starting POP server at localhost:1995 (unsecured) proxying outlook.office365.com:995 (SSL/TLS)
2022-11-28 12:42:37: Starting SMTP server at localhost:1587 (unsecured) proxying smtp.office365.com:587 (STARTTLS)
2022-11-28 12:42:37: Starting IMAP server at localhost:2993 (unsecured) proxying imap.gmail.com:993 (SSL/TLS)
2022-11-28 12:42:37: Starting POP server at localhost:2995 (unsecured) proxying pop.gmail.com:995 (SSL/TLS)
2022-11-28 12:42:37: Starting SMTP server at localhost:2465 (unsecured) proxying smtp.gmail.com:465 (SSL/TLS)
2022-11-28 12:42:37: Initialised Email OAuth 2.0 Proxy - listening for authentication requests. Connect your email client to begin
2022-11-28 12:42:57: New incoming connection to IMAP server at 192.168.250.20:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS)
2022-11-28 12:42:57: Accepting new connection to IMAP server at 192.168.250.20:1993 (unsecured) proxying outlook.office365.com:993 (SSL/TLS) via ('192.168.250.20', 54624)
2022-11-28 12:42:57: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) --> [ Client connected ]
2022-11-28 12:42:57: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) <-> [ Starting TLS handshake ]
2022-11-28 12:42:57: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) <-> [ TLS handshake complete ]
2022-11-28 12:42:57: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993)     <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [WgBSADAAUAAyADcAOABDAEEAMAAxADQANgAuAEMASABFAFAAMgA3ADgALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2022-11-28 12:42:57: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) <-- b'* OK The Microsoft Exchange IMAP4 service is ready. [WgBSADAAUAAyADcAOABDAEEAMAAxADQANgAuAEMASABFAFAAMgA3ADgALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]\r\n'
2022-11-28 12:42:57: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) --> b'TAG1 LOGIN [[ Credentials removed from proxy log ]]\r\n'
2022-11-28 12:42:58: Authorisation request received for xxxxx@yyyyy.it (local server auth mode)
2022-11-28 12:42:58: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account xxxxx@yyyyy.it
2022-11-28 12:42:58: Local server auth mode (rrr.yyyyy.it:8443): starting server to listen for authentication response
2022-11-28 12:42:58: Please visit the following URL to authenticate account xxxxx@yyyyy.it: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=69bb6304-a895-4264-afa9-fa4f7ea855a3&redirect_uri=https%3A%2F%2Frrr.yyyyy.it%3A8443%2Fauth-response&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FPOP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FSMTP.Send%20offline_access&response_type=code&access_type=offline&login_hint=xxxxx40yyyyyy.it
2022-11-28 12:43:01: Local server auth mode (rrr.yyyyy.it:8443): received authentication response GET /auth-response?code=0.AUcA6hMctT5Txki5ZVejHY284QRju2mVqGRCr6n6T36oVaNHAGo.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P9uq92CYyRTZShPS420RnXUclp88kNOPSkwI1uNsVhRqLh521geAxmEJoj_WGe52zaN5YAJZ5Y8Zvz2ZAiY-LLGIhTMVc9DsCZKKj4Cm-5y9jrS1wWBtEvCDT5DjWT8WC5lapdQMwCmlZEadbWCgtW8B09lAXLUjDL3BhODM-bEKvD9QTiG8jPULtIe7RF8DCaM3Ak6T8zkYBLQfVOD0HXJuMXj7Tzbl4zzsY2EuNPuYgqzK5GbuQAAMbsai6VCIot2ZFoMj0a7HXRzo3kfRPhnL9aNqTpVDWIF3e9nurMm6BuzaWUhorPiNknl8yDMdZE-5Kc30LDwzi4ZkK2nZS8XOv6FWwLLSJc8U3ma2k3Kjsr33AuizplsVf5xBEXUNPPqwGIIi11omas0l3qlGBn59QjXRqvnb2mMGk_jOI6TuuUBtYxrNPAWKLplmYVi4jGTS1jYgmsPeSXn1uJaFn6cighOm0Rp9J-uTCWlYz50XuM9YtSbr7tcG91FT5zvwqQV8R50SGAfEJ_PscbqnDrytNx5RFAqU6oEwpXRXts-BoL3Zc5efOBTGW8056IY1fKCk1zGPxXAE31WaWYPHFytPjKOqGikJIjC3_pW3KZ__K9IWGhNohzMMjDSix6HwkylwPrTrzWl9gF2-P7fITftrY0buSYct9BBhAuCzjNN967bxFq84Iw1TaWPYAhrirNbFK2_9scKcNyo8MXTsERTRZwmnck8pVOCxwTQBuzfLxaBFl1jKWkTGp9tJV0PMsvXotMbmUWbXdw&session_state=756b7e5a-24cf-46f9-a1d9-ea790fdf04a8 HTTP/1.0 200 395
2022-11-28 12:43:01: Local server auth mode (rrr.yyyyy.it:8443): closing local server and returning response http://rrr.yyyyy.it/auth-response?code=0.AUcA6hMctT5Txki5ZVejHY284QRju2mVqGRCr6n6T36oVaNHAGo.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P9uq92CYyRTZShPS420RnXUclp88kNOPSkwI1uNsVhRqLh521geAxmEJoj_WGe52zaN5YAJZ5Y8Zvz2ZAiY-LLGIhTMVc9DsCZKKj4Cm-5y9jrS1wWBtEvCDT5DjWT8WC5lapdQMwCmlZEadbWCgtW8B09lAXLUjDL3BhODM-bEKvD9QTiG8jPULtIe7RF8DCaM3Ak6T8zkYBLQfVOD0HXJuMXj7Tzbl4zzsY2EuNPuYgqzK5GbuQAAMbsai6VCIot2ZFoMj0a7HXRzo3kfRPhnL9aNqTpVDWIF3e9nurMm6BuzaWUhorPiNknl8yDMdZE-5Kc30LDwzi4ZkK2nZS8XOv6FWwLLSJc8U3ma2k3Kjsr33AuizplsVf5xBEXUNPPqwGIIi11omas0l3qlGBn59QjXRqvnb2mMGk_jOI6TuuUBtYxrNPAWKLplmYVi4jGTS1jYgmsPeSXn1uJaFn6cighOm0Rp9J-uTCWlYz50XuM9YtSbr7tcG91FT5zvwqQV8R50SGAfEJ_PscbqnDrytNx5RFAqU6oEwpXRXts-BoL3Zc5efOBTGW8056IY1fKCk1zGPxXAE31WaWYPHFytPjKOqGikJIjC3_pW3KZ__K9IWGhNohzMMjDSix6HwkylwPrTrzWl9gF2-P7fITftrY0buSYct9BBhAuCzjNN967bxFq84Iw1TaWPYAhrirNbFK2_9scKcNyo8MXTsERTRZwmnck8pVOCxwTQBuzfLxaBFl1jKWkTGp9tJV0PMsvXotMbmUWbXdw&session_state=756b7e5a-24cf-46f9-a1d9-ea790fdf04a8
2022-11-28 12:43:01: Authorisation result error for xxxxx@yyyyy.it - aborting login. OAuth 2.0 authorisation response is missing or does not match `redirect_uri`
2022-11-28 12:43:01: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) <-- b'TAG1 NO LOGIN Email OAuth 2.0 Proxy: Login failed for account xxxxx@yyyyy.it: OAuth 2.0 authorisation response is missing or does not match `redirect_uri`\r\n'
2022-11-28 12:43:01: IMAP (192.168.250.20:1993; 192.168.250.20:54624->outlook.office365.com:993) <-- b'* BYE Autologout; authentication failed\r\n'

Open link in web broswer auth is ok:

Email OAuth 2.0 Proxy successfully authenticated account xxxxx@yyyyy.it

You can close this window.

I don't know how about the problem because redirect_uri is the same in the config file and in the app into azure.
What I'm in wrong?

Thanks in advance

[simonrob]

Are you using the most recent version of the proxy (i.e., the main branch), or the 2022-11-01 release?

A similar issue to this one (#96) led to a small edit to allow matching of redirect_uri regardless of scheme, but this is not yet part of a release. Please could you try a version from ec95826 or later?

[pstutzinger]

I've cloned the git repo a few hours ago from the main branch. Ive seen the closed issue #96. I also tried the older version with the fix mentioned in the thread, the error message differs but it does not work either.

[simonrob]

It's always hard to debug redacted logs unfortunately. Did you by any chance edit out the port from this line in your original post?

2022-11-28 09:03:08: Local server auth mode (10.2.0.14:8080): closing local server and returning response http://public-azure-vm-fqdn/oauth?code=<code-payload-redacted>&session_state=437afde4-a618-4084-8b57-a0185851b504

The expected value starts with your redirect_uri, so a port mismatch would cause this failure. The relevant matching function is here – you could edit this to match hostname rather than netloc to test whether this is the case (or post the unredacted log and just edit out the code rather than the rest of the details).

[Beule]

Hi ,

we are facing an similar issue when trying to add new accounts. It worked like a charm before. I also cloned the most recent script today.
In our case we have an haproxy upfront that handles the request to the server and forwards it to the loopback ip on port 443.

I can see that the port on the loopback is opened as soon as we receive the request for the login at microsoft.
Our Log looks like this, i just removed the company specific data:

Nov 29 15:54:18 <Hostname> python3[2508]: 2022-11-29 15:54:18: Please visit the following URL to authenticate account xxxxxx@yyyyyyy: https://login.microsoftonline.com/<Tenant-ID>/oauth2/v2.0/authorize?client_id=<ID>&redirect_uri=https%3A%2F%2F<OUR-OAUTH-DOMAIN>%3A443&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office.com%2FPOP.AccessAsUser.All%20offline_access&response_type=code&access_type=offline&login_hint=xxxxxx%40yyyyyyy
Nov 29 15:54:41 <Hostname> Email OAuth 2.0 Proxy: Authorisation result error for xxxxx@yyyyyy - aborting login. OAuth 2.0 authorisation response is missing or does not match `redirect_uri`
Nov 29 15:54:41 <Hostname> Email OAuth 2.0 Proxy: IMAP (0.0.0.0:143; xxx.xxx.xxx.xxx:47194->outlook.office365.com:993) <-- b'0 NO LOGIN Email OAuth 2.0 Proxy: Login failed for account xxxxxx@yyyyyyy: OAuth 2.0 authorisation response is missing or does not match `redirect_uri`\r\n'
Nov 29 15:54:42 <Hostname> python3[2508]: 2022-11-29 15:54:41: Authorisation result error for xxxxxx@yyyyyyy - aborting login. OAuth 2.0 authorisation response is missing or does not match `redirect_uri`
Nov 29 15:54:42 <Hostname> python3[2508]: 2022-11-29 15:54:41: IMAP (0.0.0.0:143; xxx.xxx.xxx.xxx:47194->outlook.office365.com:993) <-- b'0 NO LOGIN Email OAuth 2.0 Proxy: Login failed for account xxxxxx@yyyyyyy: OAuth 2.0 authorisation response is missing or does not match `redirect_uri`\r\n'

I already tried the line change you referenced to in 96 but it had no effect. I'm a bit clueless now what could be the problem as it worked before.
Maybe you have an idea?

We really love this tool, it helped us a lot in the past months as we are managing some systems where we simply cant switch the authentication within the next weeks or month.

[marcoideait]

Same problem here. try to config as issue #96 but nothing changes.
My config is an nginx reverse proxy upfront than bind 8443 port to server with email-oauth2-proxy on 8443. The problem still persist and the error is:

2022-11-29 17:32:03: Authorisation request received for xxxx@yyyy.it (local server auth mode)
2022-11-29 17:32:03: Email OAuth 2.0 Proxy Local server auth mode: please authorise a request for account xxxx@yyyy.it
2022-11-29 17:32:03: Local server auth mode (www.yyyy.it:8443): starting server to listen for authentication response
2022-11-29 17:32:03: Please visit the following URL to authenticate account xxxx@yyyy.it: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=69bb6304-a895-4264-afa9-fa4f7ea855a3&redirect_uri=https%3A%2F%2Fwww.yyyy.it%3A8443%2F&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FPOP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FSMTP.Send%20offline_access&response_type=code&access_type=offline&login_hint=m.rossetti%40confindustriachpe.it
2022-11-29 17:32:39: Local server auth mode (www.yyyy.it:8443): received authentication response GET /?code=[code]&session_state=756b7e5a-24cf-46f9-a1d9-ea790fdf04a8 HTTP/1.0 200 395
2022-11-29 17:32:39: Local server auth mode (www.yyyy.it:8443): closing local server and returning response https://www.yyyy.it/?code=[code]&session_state=756b7e5a-24cf-46f9-a1d9-ea790fdf04a8
2022-11-29 17:32:39: Authorisation result error for xxxx@yyyy.it - aborting login. OAuth 2.0 authorisation response is missing or does not match `redirect_uri`
2022-11-29 17:32:39: IMAP (localhost:1993; 127.0.0.1:39518->outlook.office365.com:993) <-- b'TAG1 NO LOGIN Email OAuth 2.0 Proxy: Login failed for account xxxx@yyyy.it: OAuth 2.0 authorisation response is missing or does not match `redirect_uri`\r\n'

I think the problem is:
Local server auth mode (www.yyyy.it:8443): closing local server and returning response https://www.yyyy.it/....

why without 8443 port as returning response?

Sorry but I really don't understand why it is not ok. Thanks in advance

[simonrob]

It looks like for whatever reason you are all encountering a situation where Python's WSGI server does not return the port as part of the request_uri result, which is causing a mismatch. I cannot replicate this issue, so it would be very useful to know the operating system, Python version and proxy version you are running.

The relevant function in the proxy can be modified to use hostname rather than netloc as outlined in my earlier comment. I.e., replace this line with:

        return parsed_config.hostname == parsed_received.hostname and parsed_config.path.rstrip(

Does this fix the issue?

[dlazesz]

Would it be possible to add a configuration field to list the allowed redirect_uri items if they differ (e.g. the redirect_listen_address because proxying) from the one used in the OAuth 2.0 flow or allow the value of redirect_listen_address too?

[Beule]

For us the change from netloc to hostname solved the problem. Sometimes the error appears in the log but afterwards the success message comes in and the token is writen to the cache/config file.
If you want to investigate further our setup is as follow:
Python 3.9.2
Debian 11.4
Oauth-proxy 2022-11-10 but we had the same issue with 2022-08-17.

What i think is quite interessting is that it worked for some time without any issues. We had around 30 accounts in the config and then the problems started when we tried to add more accounts.

If you need any further information feel free to come back to me.

[marcoideait]

This my config:
CentOS Linux release 7.9.2009 (Core)
Python 3.6.8
oauth-proxy downloaded yesterday

Changing this:

  return parsed_config.netloc == parsed_received.netloc and parsed_config.path.rstrip(

to

    return parsed_config.hostname == parsed_received.hostname and parsed_config.path.rstrip(

Problem still persist:
2022-11-30 15:23:49: Local server auth mode (abc.ddd.it:8443): received authentication response GET /?code=0.AUcA6hMctT5Txki5ZVejHY284QRju2mVqGRCr6n6T36oVaNHAGo.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P_2CpuVUZVpUcQNsTinPNZKwDXYSndPTxo4D26-kKnaErR4Ug76ZOMMtbGmkOOOSSzdsoEiTQIc1CsLRDoH9F9pjlQTbb7QdFRDjL4RAxKd6o2Rj6sSJFnE93Pj1cgFrjFRuifCWoqKbFljyEGSzKxnJmH3HDEhwJpRlMu1GLNqtzjieshOmYL3UZMd8QSJunS-8dtPOx0ddZIDMnOM1VU9w30AukH67T6-ljKTIA2iY4RBaXDoccgUZqQSY7xMbiwXLRZWyav0g12LMuQmQQkgSjJ0PQtBZFGJkQQuKwWSS_3ViebD45pEnVbybAs4iAB9jHYzdCDIa32NRcIJyRkGHeIDtgSEjb0kCCNC78OhZZRYd0LldT6B7iI4RHFOdju1xkEUdqnWpmwC0Am18-RTetYwtkuveEXp1oA5WqkptZvkCJMqe5bPN-4KpbnyPZxeLe9twLgFi0ZoKVU6YelRBsp7zvCXu5xToVgcboQsZ7cRw83jd_1OYIlkLh1dS-5FD2XIJ5E3xmZ5PqkNOByKmnTG2POxChyYKyFXb7pfQVx9hgpM75GsW4Ur26g7stIBc9f_UtfwMirXrOBrYoWsJQeZd9zExbS3FVbg-oww8ErFi-bRYf-R1MhKozgMxfQyXJvgWvkJEgGWfJWjEf5WPttn5p2BN_rakyG83fxMVmNaKvAKgNHUlqWZ_s0f2Wc7Ws-FPaBWbXmTpqRuCFeeBEKGMUO-bJx-GoTpj9jYOfj6ZfkoVr2CYXNJ6fJpWCxBlppX&session_state=756b7e5a-24cf-46f9-a1d9-ea790fdf04a8 HTTP/1.0 200 395
Local server auth mode (abc.ddd.it:8443): closing local server and returning response https://abc.ddd.it/?code=0.AUcA6hMct....

authorisation result error for rrrr@ddd.it - aborting login. OAuth 2.0 authorisation response is missing or does not match redirect_uri

nothing changed for me

Thanks in advance

[marcoideait]

made a mistake in changing this:
return parsed_config.hostname == parsed_received.hostname and parsed_config.path.rstrip(

now it works. Thanks a lot

[simonrob]

Thanks for following up. As explained above, I still can't replicate this issue, but having looked through the wsgiref source, there might be a potential configuration where the port is not included in wsgiref.util.request_uri(), which is relied upon by the proxy.

Could you try reverting the change you made above, and instead editing this line to:

token_request['response_url'] = token_request['redirect_uri'].rstrip('/') + environ.get('PATH_INFO') + '?' + environ.get('QUERY_STRING')

I'd be grateful to hear whether this resolves the issue for you.

[simonrob]

The issue-103 branch contains this change. If I don't hear otherwise I'll merge this in the next week.

As noted above, the existing method works with no issues for me, and I cannot replicate your issue, but I can see how it might occur in certain configurations, so this is probably a change worth making.