Error 400: invalid_request - You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.

[jarrah31]

I've been successfully using Google OAuth with my Docker containers for years, but for some reason it's recently stopped working, giving the following error:

I don't know if it's related, but the following messages appears in the OAuth logs when Trace logging is enabled.

level=warning msg="You are using \"secure\" cookies for a request that was not received via https. You should either redirect to https or pass the \"insecure-cookie\" config option to permit cookies via http." handler=Auth host=app3.example.com method=GET proto="https,wss" rule=default source_ip=192.168.1.1 uri=/

level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_7553f6=xxxxxxxxxxxx; Path=/; Domain=example.com; Expires=Sat, 04 Dec 2021 14:05:03 GMT; HttpOnly; Secure" handler=Auth host=app3.example.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=xxxxxxxxxxx.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%2Cwss%3A%2F%2Foauth.example.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=xxxxxxxxxxxxxxx%3Agoogle%3Ahttps%2Cwss%3A%2F%2Fapp3.example.com%2F" method=GET proto="https,wss" rule=default source_ip=192.168.1.1 uri=/

Is it normal to have wss in the redirect_uri and/or 'proto="https,wss"'? Where is this set?

I use Traefik and OAuth with the following configuration:

  oauth:
    container_name: oauth
    image: thomseddon/traefik-forward-auth:latest
    restart: always
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=$GOOGLE_CLIENT_ID
      - PROVIDERS_GOOGLE_CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      - WHITELIST=$MY_EMAIL,$MY_EMAIL2,$MY_EMAIL3
      - LOG_LEVEL=trace #  was warn
      - LOG_FORMAT=text
      - LIFETIME=864000 # 10 days
      - DEFAULT_ACTION=auth
      - DEFAULT_PROVIDER=google
    labels:
      - "com.centurylinklabs.watchtower.enable=true"      
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.oauth-rtr.tls=true"
      - "traefik.http.routers.oauth-rtr.entrypoints=https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      ## Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=4181"

Traefik Middleware for OAuth:

    middlewares-oauth:
      forwardAuth:
        address: "http://oauth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Forwarded-User"

The redirect URI on Google's Dev console is:

Here are the Docker labels I use for Portainer as an example:

    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.portainer-rtr.entrypoints=https"
      - "traefik.http.routers.portainer-rtr.rule=Host(`portainer.$DOMAINNAME`)"
      - "traefik.http.routers.portainer-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.portainer-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.portainer-rtr.service=portainer-svc"
      - "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"

[jarrah31]

My bad, I had the following in the middlewares-secure-headers section. Removing this fixed the problem.

        customRequestHeaders:
          X-Forwarded-Proto: https,wss