Omniauth and open_id with Google broke when running over nginx in SSL mode

Rails 3.0.12, the latest omniauth, I can connect to Google and get the user's email address just fine. But then I launch the same rails application for nginx in SSL mode and it does not work with the Google page:

"The page you requested is invalid." 

Is this my nginx configuration? My omniauth installation?

I know that X-Forwarded-Proto: https is a special sauce, is there anything else I need to do to get openid happy behind the SSL web server?

Here's a complete code example: you can clone this repo, bundle install and run rails s to see that it works fine, and run rake server to see that it worked. https://github.com/jjulian/open_id_ssl

nginx.conf:

 worker_processes 2; pid tmp/nginx.pid; error_log log/error.log; daemon off; events { } http { client_body_temp_path tmp/body; proxy_temp_path tmp/proxy; fastcgi_temp_path tmp/fastcgi; uwsgi_temp_path tmp/uwsgi; scgi_temp_path tmp/scgi; server { listen 3000 ssl; ssl_certificate development.crt; ssl_certificate_key development.key; ssl_verify_depth 6; access_log log/access.log; proxy_buffering off; location / { proxy_pass http://127.0.0.1:3300; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Forwarded-Proto https; } } } 

omniauth.rb initializer:

 require 'openid/store/filesystem' Rails.application.config.middleware.use OmniAuth::Builder do provider :open_id, :identifier => 'https://www.google.com/accounts/o8/id' end 

routes.rb:

 OpenIdSsl::Application.routes.draw do match '/auth/open_id/callback' => 'accounts#update' match '/auth/failure' => 'accounts#failure' root :to => 'accounts#show' end 

UPDATE: This example uses Rails 3.1.12 and OmniAuth 1.0.3. Upgrading to Rails 3.1.4 and OmniAuth 1.1.0 fixes the problem.

+6
source share
2 answers

Found your problem, I'm still trying to find something cleaner, but here is a quick and dirty fix:

add this to your config / initializers / omniauth.rb:

 class Rack::OpenID def realm_url(req) 'https://localhost:3000' end end 

And now for the explanation: when the open-gid rack builds a send request to the goid openid server, it fails in one place using the rails access url and not nginx (which uses ssl), resulting in this being sent to the server openid:

 openid.realm:http://localhost:3001 openid.return_to:https://localhost:3001/auth/open_id/callback 

The area uses the url url (rails url), and return_to points to the right https url (nginx) when the openid server sees that it is stopping and returns an error.

PS: I will edit the answer if I can find a cleaner way.

+2
source

Most likely you need to configure your Google app callback URL to add https instead of http.

I have several applications configured for testing with rails s and another intermediate deployment, and another for production deployments.

0
source

Source: https://habr.com/ru/post/912513/


All Articles