Omniauth with AWS Cognito returns /error?error=redirect_mismatch

robstone79 · December 13, 2021, 7:31pm

I am using the gitlab/gitlab-ce:latest Docker image running on AWS ECS (Fargate) and trying to configure AWS Cognito as my IdP.

I’ve setup the Cognito User Pool and updated the gitlab.rb file as described here:

I see the Cognito button when the GitLab login page loads, but when clicking I get the error. Looking in the Network trace (F12) I can see the mismatch error as it’s sending HTTP://ip-10-x-x-x.$region.compute.internal/users/auth/cognito/callback instead of the callback url configured in Cognito.

I can’t change the Callback URL as it needs to be HTTPS, and I’d rather use a CNAME.

I’ve been looking for a way to add the redirect_url but I can’t get it to work. I’ve looked through this but can’t see anything:

gitlab.com

gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template

## GitLab configuration settings
##! This file is generated during initial installation and **is not** modified
##! during upgrades.
##! Check out the latest version of this file to know about the different
##! settings that can be configured, when they were introduced and why:
##! https://gitlab.com/gitlab-org/omnibus-gitlab/blame/master/files/gitlab-config-template/gitlab.rb.template

##! Locally, the complete template corresponding to the installed version can be found at:
##! /opt/gitlab/etc/gitlab.rb.template

##! You can run `gitlab-ctl diff-config` to compare the contents of the current gitlab.rb with
##! the gitlab.rb.template from the currently running version.

##! You can run `gitlab-ctl show-config` to display the configuration that will be generated by
##! running `gitlab-ctl reconfigure`

##! In general, the values specified here should reflect what the default value of the attribute will be.
##! There are instances where this behavior is not possible or desired. For example, when providing passwords,
##! or connecting to third party services.
##! In those instances, we endeavour to provide an example configuration.

This file has been truncated. show original

This page suggests there is a parameter but isn’t stricly for Cognito and it isn’t working for me:

Here is my config.rb extract:

gitlab_rails['omniauth_providers']=[
    {
        "name":"cognito",
        "redirect_url":"https://gitlab.sandbox.mydomain.co.uk/users/auth/oauth2_generic/callback",
        "app_id":"APPID",
        "app_secret":"SECRETID",
        "args":{
            scope:"openid profile email",
            client_options:{
                'site':'https://sandbox.auth.eu-west-2.amazoncognito.com',
                'authorize_url':'/oauth2/authorize',
                'token_url':'/oauth2/token',
                'user_info_url':'/oauth2/userInfo'
            },
            user_response_structure:{root_path:[],
            id_path:['sub'],
            attributes:{
                nickname:'email',
                name:'email',
                email:'email'}
            },
        name:"cognito",
        strategy_class:"OmniAuth::Strategies::OAuth2Generic"
        }
    }
]

I’m at a loss so any help would be appriciated

robstone79 · December 14, 2021, 9:01am

I’ve tried again this morning with Cogntio, OAuth2Generic and Azure and all fail with the same problem. The redirect_url in the request is using the hostname of the Fargate instance

gitlab_rails['omniauth_external_providers']=['cognito','azure_activedirectory_v2','oauth2_generic']
gitlab_rails['omniauth_allow_single_sign_on']=['cognito','azure_activedirectory_v2','oauth2_generic']
gitlab_rails['omniauth_providers']=[
  {
    "name":"cognito",
    "app_id":"id",
    "app_secret":"secret",
    "args":{
      scope:"openid profile email",
      client_options:{
        'site':'https://sandbox-mydomain.auth.eu-west-2.amazoncognito.com',
        'authorize_url':'/oauth2/authorize',
        'token_url':'/oauth2/token',
        'user_info_url':'/oauth2/userInfo'
      },
      user_response_structure:{
        root_path:[],
        id_path:['sub'],
        attributes:{
          nickname:'email',
          name:'email',
          email:'email'
        }
      },
      name:"cognito",
      strategy_class:"OmniAuth::Strategies::OAuth2Generic"
    }
  },
  {
    name:"oauth2_generic",
    redirect_url:"https://gitlab.sandbox.mydomain.co.uk/users/auth/oauth2_generic/callback",
    app_id:"id",
    app_secret:"secret",
    args:{
      client_options:{
        site:"https://sandbox-mydomain.auth.eu-west-2.amazoncognito.com",
        user_info_url:"/oauth2/v1/userinfo",
        authorize_url:"/oauth2/v1/authorize",
        token_url:"/oauth2/v1/token"
      },
      user_response_structure:{
        root_path:[],
        id_path:["sub"],
        attributes:{
          email:"email",
          name:"name"
        }
      },
      authorize_params:{
        scope:"openid profile email"
      },
      strategy_class:"OmniAuth::Strategies::OAuth2Generic"
    }
  },
  {
    name:"azure_oauth2",
    args:{
      client_id:"id",
      client_secret:secret,
      tenant_id:"tenantid"
    }
  }
]

robstone79 · December 16, 2021, 9:28am

I’ve had a bit of a breakthrough today.

I was setting EXTERNAL_URL via a configuration file in the ECS Task Definition. Whilst it was showing when I ran aws ecs execute-command --cluster gitlab --container gitlab-ce --task $ID --interactive --command env it wasn’t actually applied!

I edited gitlab.rb, applied the same URL (on HTTPS) and I’m now getting past the redirect_url issue.