Grafana OAuth2 by Google and HTTPS - google-oauth

Trying to set up OAUTH 2 for access to Grafana (https by openssl)
Grafana v8.0.5 is hosted on AWS EC2 accessed via subdomain. Been working fine for months but time came to improve security, hence https & OAuth.
I followed this link and configured https access & SSL. Worked like a charm!
I followed this link to configure Google OAuth here
Below is the server options in grafana.ini
[server]
#Protocol (http, https, h2, socket)
protocol = https
#The ip address to bind to, empty will bind to all interfaces
;http_addr =
#The http port to use
http_port = 3000
#;http_port = 80
#The public facing domain name used to access grafana from a browser
domain = grafana.redacted.io
#Redirect to correct domain if host header does not match domain
#Prevents DNS rebinding attacks
;enforce_domain = false
#The full public facing url you use in browser, used for redirects and emails
#If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://grafana.redacted.io/login/google/
#Serve Grafana from subpath specified in `root_url` setting. By default it is set to
`false` for compatibility reasons.
;serve_from_sub_path = false
Google.Auth options in grafana.ini are:
[auth.google]
enabled = true
allow_sign_up = false
client_id = theClientIdFromGoogleCloudConsole
client_secret = theClientSecretFromGoogleCloudConsole
scopes = https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo
allowed_domains = redacted.io
Google Console Settings
Authorised JS Origins: https://grafana.redacted.io:3000
Authorised redirect URIs: https://grafana.redacted.io/login/google
grafana service restarted and instance restarted.
Visiting URL:
https://grafana.redacted.io:3000 forwards to https://grafana.redacted.io:3000/login/google/login - page won't load
https://grafana.redacted.io:3000/login loads a page with text telling me "If you host grafana under subpath make sure your grafana.ini root_url setting includes subpath. If not using a reverse proxy make sure to set serve_from_sub_path to true."
Try:
serve_from_sub_path = true
Then revisit URL 2, the login page will load with the Google Auth button. Clicking it, loads "Error 400: redirect_uri_mismatch". This is obviously not what correct and reacding the specs I know I need this to be false
redirect_uri: https://grafana.redacted.io/login/google/login/google
Try:
root_url = https://grafana.redacted.io:3000/login/google
serve_from_sub_path = false
Update Google Console Redirect URL to equal root_url. Revisit URL 2 (above) and login screen loads again; click Google, safari error:
Too many redirects occurred trying to open "https://grafana.redacted.io:3000/login/google/login"
Why the extra /login again?
OK, so I can get all the way through to signing in with Google:
Try:
root_url = https://grafana.redacted.io/
serve_from_sub_path = false
Google Console left as: https://grafana.redacted.io/login/google
Visit link 2 above, page loads, sign in screen appears, 2FA on google all good, then
"Safari can't open the page "https://grafana.redacted.io/login/google?state...etc.etc.""
Why, when all redirects are set equal is a /login being appended to the URL?
Spent ages on this, and would really appreciate some help
Thanks

In grafana.ini (v8.0.5) whenever I set the root_url to that directed by the Grafana Google OAuth2 docs it added stuff to the url and this through a redirect mismatch error.
Thanks #DalmTo for the video link. I took this and experimented...follow below
Grafana.ini
root_url = https://grafana.redacted.io:3000/xxxx/ &
serve_from_sub_path = true
The "xxxx" can be anything except the word "login". I've tried some random stuff and it all works, except using the word login; I'm actually using "google" lol. Ensure to append the final /
Google Console: set the Redirect URI to https://grafana.redacted.io:3000/xxxx/login/google
Grafana UI will be available at https://grafana.redacted.io:3000/
It's not really a solution, more a work around.

Related

Keycloak - Proxy / Front End Url / Javascript client redirect issue

I'm attempting to use Keycloak for some future projects and it's still very new to me so I'm plugging away reading through the docs and searching for issues online but I'm currently stumped on one thing - I have a vuejs app I’ve added as a client (127.0.0.1:3001), I have a reverse proxy setup in IIS (idp.mc.local) and then a docker container on Windows with keycloak running (127.0.0.1:8080), when I attempt to login, instead of being redirected back to the vuejs client I am just getting redirected to the root of the reverse proxy with the state value in the url, as in the network logs in the screenshot below:
Network logs showing incorrected 'Location' redirect
If I don’t set a front end url for the realm and bypass the proxy / hook my vuejs client to login via Keycloak directly on 127.0.0.1:8080, it redirects to 127.0.0.1:3001/#state… correctly, as below:
Network logs showing correct 'Location' redirect
I can't spot any way to sort this issue, I thought the front end url for the realm should state the proxy address? I can't see why Keycloak would redirect to it at the end of the login process rather than to my client app url, the redirect_uri is being ignored by keycloak and for some reason taking me back to the root of my proxy domain. If I actually manually visit 127.0.0.1:3001/#state… with the state value copied in from the incorrect redirect, I log in successfully.
It's baffling me and any help would be appreciated!
The answer did turn out to be an IIS related issue with the setup of Application Request Routing / ARR being the problem. What was needed was to edit the settings for IIS Application Request Routing and uncheck the option:
Reverse rewrite host in response headers as can be seen in the image below:
IIS ARR Checkbox to untick
Hopefully this will be helpful for someone else who might have the same issue at some point!

Deezer API Redirect does Not Work on Localhost

I am trying to set up an OAUTH flow with python to connect to the Deezer API. I am using flask as my local server.
However when I try to connect as a user, I get the message You must enter a valid redirect URI and I am not redirected back to my localhost site. I have tried the following in the Deezer app settings, but nothing works!
Application Domain: 127.0.0.1:5000;
Redirect URL: http://127.0.0.1:5000/deez_authorized
Application Domain: localhost:5000;
Redirect URL: http://localhost:5000/deez_authorized
Application Domain: localhost;
Redirect URL: http://localhost:5000/deez_authorized
I have searched all related questions on stack overflow, but none have answered the issue. Surely you must be able to use localhost for development purposes no?

Using cloudflare flexible ssl option causes login form to refresh instead of sending request

I am using cloudflare's "flexible ssl" as an intermediary between client and my site.
After setting this up, I went to the browser and tried accessing my site via https:
https://example.com/login
and everything works. I fill in my login info and log in successfully and am not on http://example.com . I manually enter https://example.com/* where * is many other pages and it all works fine.
Now I want to redirect all requests to use the seemingly working https. So i go to my cloudflare account on their website and create a page rule : http://example.com/* to always use https.
Now I go to example.com/login and successfully redirected to https://example.com/login, I fill in my log in information and submit the login form , the page refreshes and I am back to https://example.com/login with an empty login form.
Anyone know what the problem is or how to help troubleshoot?
I am using laravel as a framework for the site and apache as the webserver.
create a page rule : http://example.com/* to always use https
Noted. Be aware that CloudFlare does this by accepting every HTTP request on http://example.com/* and returning a 301 redirect to the equivalent HTTPS request. The browser completes the redirect by sending a GET request to the HTTPS URL.
I fill in my log in information and submit the login form
Check the login form source carefully and check what URL the login form is submitted to. My guess is that the form is submitted to http://example.com/login or something similar. CloudFlare will accept the POST request to http://example.com/login and return a 301 redirect to https://example.com/login -- which your browser will complete as a GET request and hence not sending the login data.
So your best solution is to make sure that your login form POSTs to the correct HTTPS URL not to the HTTP URL.
That's my best guess anyway.
how to help troubleshoot?
Ensure that you are using different log files to distinguish between HTTP and HTTPS requests on your server.
Some other suggestions:
Get a Let's Encrypt SSL certificate and put that on your site so that the communication between CloudFlare and your site is all SSL. https://letsencrypt.org/
Ensure that HSTS is turned on for all of your HTTPS requests so that the browser will know not to send any requests to any HTTP URLs.
Create a development server where you can test all of this working with HTTPS between the browser and the web server without CloudFlare. Once you've got it all working in HTTPS mode without CloudFlare then you can try it with CloudFlare and you should get essentially the same results. Your problem is with the HTTP -> HTTPS switch, not specifically with CloudFlare.

hybridauth: redirect URI is not whitelisted in the app

i am configuring single sign on feature with hybridauth plugin. It took me 2 days setup this. However, i am getting redirect uri error with facebook and google.
In google and facebook i have given website name like this http://example.com
i didn't found anywhere to put redirect url.
Now when i click on facebook or google. I am getting below error.
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings.
Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
Google error is below.
400. That’s an error.
Error: redirect_uri_mismatch
Login page exist on root and there is a folder i have created for hybridauth.
Inside that folder index.php file.
In config.php file. i have given baseurl like this.
"base_url" => "http://example.com/hybridauth/index.php",
I know this question doesn't have much code. But as per me issue with base_url and facebook/google oauth api.
You should be able to set Authorized redirect URIs on the provider's page. For example, on Google's Developer Console, you should be able to set the Authorized redirect URIs on the Credentials tab for your app:

Authenticate sites with different domain names using the Facebook API

We have a CMS that supports multiple sites, one of our features allows our users (The site admin) to connect to the site facebook account to allow status updates, create events and upload pictures to FB from with in the CMS.
The authentication needs to occur once since each site may have multiple site admins that do not have access to the site FB user name and password. We use iframe and authenticate using $facebook->require_login() which redirects the user to the FB login and authentication pages.
All this works just fine but when the user hits "Allow" the authentication will break as it will only redirect to whatever is in the "Post-Authorize Redirect URL" field making the app obsolete for any other domain except the one in the "Post-Authorize Redirect URL"
I know other API's authentication methods like in Vimeo and YouTube will allow you to specify a NEXT parameter which is the equivalent of the "Post-Authorize Redirect URL" and it can be set at run time.
How can I make this work for multiple domain names?
Any hints on this issue will be of great help
If the call back page is in your domain, that page could acts as a proxy, all you have to do is pass the parameters needed by the proxy page to redirect the user to the proper location. For example I used the URL of the domain I want to redirect and an ID needed for me to know which user I am dealing with.
My code end up looking something like this:
Authorize link:
$authorizeURL = "http://www.facebook.com/authorize.php?api_key=" . $facebookApiKey . "&v=1.0&ext_perm=status_update&domainName=$domainName&path=/path/to/my/next/page.php";
and the "proxy" code would like something like this:
$path = $_GET['path'];
$query = $_GET['query'];
$domainName = $_GET['domainName'];
//if you happen to have a query, get the values like this:
parse_str($query, $queryValues);
$id = $queryValues['id'];
// construct the url where your user came from or where you want them to be redirected.
$url = "http://$domainName/$path?$query";
header("Location: " . $url);
exit;
This is not the whole code, but it will give you an idea on how to do it.
make a separated domain used only for FB authentication.