I am using omniauth and logging into google and yahoo using the open_id strategy. This was working fine, until I enabled SSL on my site. There was a couple issues. First the URL's being generated were still pointing at http instead of https. I fixed that using a monkey patch from other posts(Omniauth and open_id with Google broken when running behind nginx in SSL mode, OpenID for rails app behind Apache)
Now it seems like the URLs are okay, but now I always get invalid credentials failure. I am using nginx and unicorn and hosting on EC2, if any of that is relevant. I see this in my unicorn logs:
(google) Request phase initiated.
WARNING: making https request to https://www.google.com/accounts/o8/id without verifying server certificate; no CA path was specified.
Generated checkid_setup request to https://www.google.com/accounts/o8/ud with assocication ...
(google) Callback phase initiated.
(google) Authentication failure! invalid_credentials encountered.
*Note I remove the association above because I was not sure if thats some private key or something.
Also, I see google posting to my callback "/auth/google/callback".
Finally, about the warning about making a request without verifying server certificate, I saw in another post that I should add this:
require "openid/fetchers"
OpenID.fetcher.ca_file = "/etc/ssl/certs/ca-certificates.crt"
which I did, and the messages go away but does not fix my problem. Am I supposed to point this to my ssl certificates instead?
Just confused about what is going on and not finding good logging output to identify the problem...
Related
I was trying out the curity configuration for an authentication service and a token service for OAuth and OpenID Connect locally. After all the configuration, when I was trying to test it with OAuth Assistant, I get an error:
Bad request
The request could not be processed
In the terminal, I can see these two INFO logs for particular
se.curity.identityserver.util.AllowedFrameOriginUtils - Requested origin is not allowed: 'http://localhost:...'
se.curity.identityserver.controllers.authorize.AuthorizeOAuthRequestModelProvider - Could not establish the redirect uri for request and client www. If this error occurs *after* being redirected to the authentication service and back, then this error has probably occurred because the original session cookie has been lost. Ensure that the cookie named 'sessionid' was sent to the authentication service. If not, check that the user's browser is not withholding it (for example by the cookie jar becoming full) and that a reverse proxy is not interfering with it.
There is no issue with sessionid. Anyone know how to fix this issue?
I'm currently testing my Ruby on Rails project Omniauth with Facebook functionality and no how I enter my Redirect URI it fails.
The exact error is:
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
If I do,
https://localhost:3000/users/auth/facebook/callback
it then complains about trying to an ssl certificate to a non ssl puma. Are there any suggestions for this issue? Perhaps, working on my SSL certificates or any other solution.
I've been looking into similar posts and nothing has solved this issue. Please advise.
I have a relatively simple setup where I am using stomp over websockets to retrieve data from my backend to avoid resetting the session timeout. I am running into an issue that mostly happens when I restart my server. I reboot and I am properly prompted to login. After the login succeeds I am redirected. However instead of being redirected to the page I requested I am redirected to the stomp endpoint.
I suspect this is a timing issue where the stomp client is continuing to connect to the initial stomp http endpoint after the server starts up and is overwriting the request to the page with a request to the stomp endpoint.
Is there some way to make the stomp endpoint not a valid target for a login redirect?
This seems like it is really only an issue during dev since it really only occurs when the server is restarted. However, with my dev environment being deployed on push I dont want the testers to report this as an issue.
I am using Google Business Apps for emails, and trying to send emails through PHPMailer. Now there is an issue with the SSL certificate so I have to turn off the SSL verification, but this errors is thrown up:
Auth method requested: XOAUTH2
Auth methods available on the server: PLAIN,LOGIN
SMTP Error: Could not authenticate.
Now my host isn't particularly helpful as its saying I need to use the correct email/pass, but that's not the way it works as we have to create an App via Google Developer and the connection is verified.
I am wondering if XOAUTH2 needs to be installed to the server? I have access to cPanel, but can't find the module.
Read the troubleshooting guide that the error links you to.
I'd bet that your ISP is intercepting your traffic and redirecting you to their own mail server, which will fail to match gmail's SSL certificate, and also lacks gmail's XOAUTH2 authentication scheme.
You should pay attention to why you're getting these errors - certificate verification is there to protect you and when it fails a check it's telling you that someone is intercepting your traffic and trying to MITM you - and by disabling it you've already given away your gmail credentials.
I am working on an application that allows user to authenticate with Devise and Omniauth and then connect his social network account to the app. I wanted to add Wordpress integration (their website states they support OAuth 2.0 authentication and REST API access).
Unfortunately, there was no Omniauth strategy for this provider. I looked into some other gems and decide to write my own - it didn't seem so complicated. The source code can be found here.
I have added all required informations (according to Wordpress docs), then I have signed up for an app ID and secret. I have encountered my first problem here - Wordpress demanded a live, public domain as a redirect URI. I didn't want to use one - I wanted to test in development mode first, so localhost was fine for me. I have entered a dummy address, then changed it back to localhost (surprise! They didn't validate it on update, just on create).
I have added the credentials to my initializer (config/initializers/devise.rb):
config.omniauth :wordpress, "my_app_id", "my_app_secret"
It seemed to work - I got the authentication dialog I expected, it mentioned my application. But when I clicked 'Authorize' and got redirected to my application back, I got an error saying invalid credentials.
I have checked the credentials, but they were correct (no typos, proper order). I have reset the app secret - no luck. I have created two another applications, but still nothing.
I have already ran out of ideas. What can cause such error? Is it possible that it's because of the local address in redirect_uri?
I suspected it was something easy to miss, and it was. Wordpress' server responded with JSON string, but the response was not parsed as one. Therefore Omniauth gem couldn't find an access token in it and was raising the invalid credentials error. Setting up correct content type worked like a charm.