redirect_uri changes between authorize and token
I have an issue while trying to use gitlab oauth to mattermost (installed with the omnibus package):
- I created the application by folllowing this link: GitLab Single Sign-On — Mattermost documentation. I use mattermost and gitlab from the omnibus package. I setup
mattermost['gitlab_id']andmattermost['gitlab_secret']correctly,mattermost['gitlab_auth_endpoint'],mattermost['gitlab_token_endpoint']andmattermost['gitlab_user_api_endpoint']too. Each time I try to connect with gitlab oauth, mattermost return a html page with: “Erreur \n Erreur lors de la récupération du jeton” (Error \n Error when retrieving the token in english) - when checking
production.log, I saw:
Started GET "/oauth/authorize?response_type=code&client_id=<client_id>&redirect_uri=https%3A%2F%2F<my_domain_name>%2Fsignup%2Fgitlab%2Fcomplete&state=<state>" for <my_ipv4> at <datetime>
Processing by 0auth::AuthorizationsController#new as HTML
Parameters: {"response_type" => "code", "client_id" => "<client_id>", "redirect_uri" => "https://<my_domain_name>/signup/gitlab/complete", "state" => "<state>"}
Completed 200 OK in 60 ms (Views: 9.2ms | ActiveRecord: 10.5ms | Elasticsearch: 0.0ms | Allocations: 16159)
Started POST "/oauth/token" for <my_ipv6> at <datetime>
Processing by 0auth::TokensController#create as JSON
Parameters: {"client_id" => "<client_id>", "client_secret" => "[FILTERED]", "code" => "[FILTERED]", "grant_type" => "authorization_code", "redirect_uri" => "http://<my_domain_name>/signup/gitlab/complete"}
Completed 400 Bad Request in 88ms (Views: 0.2ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 16531)
- We can see that the https request became an http one for some reason I don’t understand.
- Version: gitlab-ce 15.3.2 (self-hosted)
- I use apache so I checked this, and added the header. I checked my
gitlab.rb,production.logandmattermost.log
To be sure, here my apache configuration for gitlab:
<VirtualHost *:80>
ServerName <my_domain_name_for_gitlab>
ServerAdmin <my_email>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
ErrorLog ${APACHE_LOG_DIR}/<my_domain_name_for_gitlab>_error.log
CustomLog ${APACHE_LOG_DIR}/<my_domain_name_for_gitlab>.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName <my_domain_name_for_gitlab>
ServerAdmin <my_email>
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://<my_domain_name_for_gitlab>
</Location>
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/api/v\d+/.* [OR]
RewriteCond %{REQUEST_URI} .*-/branches/.* [OR]
RewriteCond %{REQUEST_URI} .*-/refs/.*/logs_tree/.* [OR]
RewriteCond %{REQUEST_URI} .*-/tree/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA:3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000; IncludeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/letsencrypt/live/<my_domain_name_for_gitlab>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my_domain_name_for_gitlab>/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/<my_domain_name_for_gitlab>/fullchain.pem
ErrorDocument 404 /404.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 502 /502.html
ErrorDocument 503 /503.html
ErrorLog ${APACHE_LOG_DIR}/<my_domain_name_for_gitlab>_error.log
CustomLog ${APACHE_LOG_DIR}/<my_domain_name_for_gitlab>.log combined
</VirtualHost>
and my configuration for mattermost:
<VirtualHost *:80>
ServerName <my_domain_name>
ServerAdmin <my_email>
ServerSignature Off
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
ErrorLog ${APACHE_LOG_DIR}/<my_domain_name>_error.log
CustomLog ${APACHE_LOG_DIR}/<my_domain_name>.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName <my_domain_name>
ServerAdmin <my_email>
DocumentRoot /var/opt/gitlab/mattermost
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/v4/users/websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
<Location /api/v4/users/websocket>
Require all granted
ProxyPass ws://127.0.0.1:8065/api/v4/users/websocket
ProxyPassReverse ws://127.0.0.1:8065/api/v4/users/websocket
ProxyPassReverseCookieDomain 127.0.0.1 <my_domain_name>
</Location>
<Location />
Require all granted
ProxyPass http://127.0.0.1:8065/
ProxyPassReverse http://127.0.0.1:8065/
ProxyPassReverseCookieDomain 127.0.0.1 <my_domain_name>
</Location>
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA:3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000; IncludeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/letsencrypt/live/<my_domain_name>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<my_domain_name>/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/<my_domain_name>/fullchain.pem
ErrorLog ${APACHE_LOG_DIR}/<my_domain_name>_error.log
CustomLog ${APACHE_LOG_DIR}/<my_domain_name>.log combined
</VirtualHost>
It’s my first issue so I’m sorry if I forgot something, don’t hesitate to ask me, thank you.