Redirect issue with sample google configuration #7
Comments
|
Note: Looks like some of the angle brackets got stripped when I pasted the apache config. They are present |
|
Couple of things you might try:
Jim On Fri, 16 May 2014, Warren Strange wrote:
|
|
I run it on Ubuntu 14.04 ok, apache 2.4.7-1ubuntu4, but have to say it is the trunk so it differs from 1.2; can you enable the debug logs try trunk and send the output to me? |
|
Jim, I will fix the sample config on the cookie path |
|
I get OIDCCookiePath not allowed here So I assume that is a newer feature? On Fri, May 16, 2014 at 2:27 PM, Hans Zandbelt notifications@github.comwrote:
|
It can't go in the main section. I do like this (/oidc-return/ is my return url) <Location /oidc-return/> I don't protect the entire site. That's always a bad idea. I use <Location /oidc/> to protect the content at /oidc/... Jim |
|
Hans, Seems like OIDCCookiePath and OIDCCookie could be RSRC_CONF as well as ACCESS_CONF|OR_AUTHCFG. Most sites I expect would use just one setting for both of them. Jim On Fri, 16 May 2014, Hans Zandbelt wrote:
|
|
agreed, I will patch it separately; also curious if using OIDCCookiePath in its current form solves this issue |
|
Apache does not complain anymore - but I get the same behaviour. Hangs I see the oidcstate cookie now (based on your example). OIDCProviderIssuer accounts.google.com OIDCProviderAuthorizationEndpoint OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token OIDCProviderTokenEndpointAuth client_secret_post OIDCProviderUserInfoEndpoint OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs OIDCClientID OIDCClientSecret XXXXXX OIDCScope "openid email profile" OIDCRedirectURI https://www.example.com:1443/example/redirect_uri OIDCCryptoPassphrase password <Location /example/> OIDCCookiePath / OIDCCookie oidcstate Authtype openid-connect require valid-user On Fri, May 16, 2014 at 2:58 PM, jimfox notifications@github.com wrote:
|
|
With your redirect URL you would want locationmatch, i.e. <LocationMatch /example/> or else <Location /example/redirect_uri> Jim On Fri, 16 May 2014, Warren Strange wrote:
|
|
Still getting this error. I have tried a bunch of different combinations of the above Location and LocationMatch, and they have the same issue. I am now using the latest build (from source). One thing I see in the Apache logs is: So the redirect URL is getting messed up (note the extra :1443). Are you guys doing your testing with default http ports? (:80 :443?). Firefox eventual times out with a "Corrupted Content" error. Reloading the original page works (i.e. the cookie is getting set just fine, protected access works). This is not a show stopper for me right now - so not a big deal. |
|
indeed using a non-standard port was the problem and is fixed in 1d9dada; please see if that solves it for you |
|
Yup - that fixed the problem. Thanks Hans |
This could be an issue with my configuration
I am attempting to configure google as the OIDC provider. Using the 1.2 release on Ubuntu 14.04.
It kind of works, but has odd behaviour:
It simply hangs at this point - on both firefox and chrome.
However - if I let it timeout, and then reload the /example page - it comes up OK!, and I can see that the oidc cookie is set.
I tried fiddling with the redirect url (/redirect_uri with and without trailing /) but that did not make a difference. So it appears that the odic module processes the assertion OK from google- but gets hung up trying to redirect back the original URL.
Here is my config
OIDCProviderIssuer accounts.google.com
OIDCProviderAuthorizationEndpoint https://accounts.google.com/o/oauth2/auth?approval_prompt=force
OIDCProviderTokenEndpoint https://accounts.google.com/o/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://www.googleapis.com/plus/v1/people/me/openIdConnect
OIDCProviderJwksUri https://www.googleapis.com/oauth2/v2/certs
OIDCClientID 431631896232-kdioacia46qnhv0uvp8rfh6es9t6rbp5.apps.googleusercontent.com
OIDCClientSecret XXXXXXXXXXXXXX
OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/example/redirect_uri
OIDCCryptoPassphrase password
<Location /example/>
Authtype openid-connect
require valid-user
The text was updated successfully, but these errors were encountered: