-
Notifications
You must be signed in to change notification settings - Fork 322
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect issue with sample google configuration #7
Comments
Note: Looks like some of the angle brackets got stripped when I pasted the apache config. They are present |
Couple of things you might try:
Jim On Fri, 16 May 2014, Warren Strange wrote:
|
I run it on Ubuntu 14.04 ok, apache 2.4.7-1ubuntu4, but have to say it is the trunk so it differs from 1.2; can you enable the debug logs try trunk and send the output to me? |
Jim, I will fix the sample config on the cookie path |
I get OIDCCookiePath not allowed here So I assume that is a newer feature? On Fri, May 16, 2014 at 2:27 PM, Hans Zandbelt notifications@github.comwrote:
|
It can't go in the main section. I do like this (/oidc-return/ is my return url) <Location /oidc-return/> I don't protect the entire site. That's always a bad idea. I use <Location /oidc/> to protect the content at /oidc/... Jim |
Hans, Seems like OIDCCookiePath and OIDCCookie could be RSRC_CONF as well as ACCESS_CONF|OR_AUTHCFG. Most sites I expect would use just one setting for both of them. Jim On Fri, 16 May 2014, Hans Zandbelt wrote:
|
agreed, I will patch it separately; also curious if using OIDCCookiePath in its current form solves this issue |
Apache does not complain anymore - but I get the same behaviour. Hangs I see the oidcstate cookie now (based on your example). OIDCProviderIssuer accounts.google.com OIDCProviderAuthorizationEndpoint OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token OIDCProviderTokenEndpointAuth client_secret_post OIDCProviderUserInfoEndpoint OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs OIDCClientID OIDCClientSecret XXXXXX OIDCScope "openid email profile" OIDCRedirectURI https://www.example.com:1443/example/redirect_uri OIDCCryptoPassphrase password <Location /example/> OIDCCookiePath / OIDCCookie oidcstate Authtype openid-connect require valid-user On Fri, May 16, 2014 at 2:58 PM, jimfox notifications@github.com wrote:
|
With your redirect URL you would want locationmatch, i.e. <LocationMatch /example/> or else <Location /example/redirect_uri> Jim On Fri, 16 May 2014, Warren Strange wrote:
|
Still getting this error. I have tried a bunch of different combinations of the above Location and LocationMatch, and they have the same issue. I am now using the latest build (from source). One thing I see in the Apache logs is: So the redirect URL is getting messed up (note the extra :1443). Are you guys doing your testing with default http ports? (:80 :443?). Firefox eventual times out with a "Corrupted Content" error. Reloading the original page works (i.e. the cookie is getting set just fine, protected access works). This is not a show stopper for me right now - so not a big deal. |
indeed using a non-standard port was the problem and is fixed in 1d9dada; please see if that solves it for you |
Yup - that fixed the problem. Thanks Hans |
This could be an issue with my configuration
I am attempting to configure google as the OIDC provider. Using the 1.2 release on Ubuntu 14.04.
It kind of works, but has odd behaviour:
It simply hangs at this point - on both firefox and chrome.
However - if I let it timeout, and then reload the /example page - it comes up OK!, and I can see that the oidc cookie is set.
I tried fiddling with the redirect url (/redirect_uri with and without trailing /) but that did not make a difference. So it appears that the odic module processes the assertion OK from google- but gets hung up trying to redirect back the original URL.
Here is my config
OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCClientID 431631896232-kdioacia46qnhv0uvp8rfh6es9t6rbp5.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXXXX
OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/example/redirect_uri
OIDCCryptoPassphrase password
<Location /example/>
Authtype openid-connect
require valid-user
The text was updated successfully, but these errors were encountered: