NOTE
If your issue is for security or deals with sensitive info please mark it as private using the checkbox below.
When we click on login button at transtats.fp.o it runs into an error: 400 - Bad Request with a desc "Invalid redirect_uri" See config
We are having a similar issue with waiverdb in stg...
CC: @abompard any ideas here?
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
@kevin it may be that the redirect URL that is being sent back is http rather than https (the one that is encoded in the ipsilon URL when you see the 400 error)
IIRC, this is stored on the ipsilon side and is set when the app is registered there (i may be wrong here)
The redirect uri is https... it's in ansible-private.
transtats redirect_uris=["https://transtats.fedoraproject.org/oidc_callback"]
sorry i changed it to oidc_callback and now have changed this back to (the proper URI) of
transtats redirect_uris=["https://transtats.fedoraproject.org/oidc/callback/"]
which is the correct callback URL for this application
I think the non-http link is coming from the transtats app itself (i.e. the django mozilla oidc module it uses)
but have not figured out how to force it to use https.
I confirm that the Transtats app is thinking it's running in plain HTTP, and thus not generating absolute URLs with https://. Generating an absolute URL is necessary for OIDC, and that's where it fails.
The setting "SECURE_PROXY_SSL_HEADER" seem to be correctly set in the configuration file. @suanand could you please set the USE_X_FORWARDED_HOST setting to True in the config as well? I think that the OIDC library uses get_host() to generate the absolute URLs.
USE_X_FORWARDED_HOST
True
get_host()
Metadata Update from @ryanlerch: - Issue assigned to ryanlerch
@abompard
tried setting USE_X_FORWARDED_HOST
https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/transtats/files/deploymentconfig.yml#_49
also set SECURE_PROXY_SSL_HEADER too to check, but still giving me http in the redirect url :(
ignore that above comment the way i set USE_X_FORWARDED_HOST or the SSL header one too was wrong, and didn't actually apply the setting in django. will revert those changes
okay, have tried this in staging with this change in transtats itself:
https://github.com/transtats/transtats/commit/11eeacae98b8e72f7df2314b77101692d7cb638f
and transtats is still giving a http:// callback url to ipsilon.
@suanand any thoughts here?
Going to close this one as upsteam, because it appears to be an issue with transtats / the oidc django plugin supplying the wrong http based url.
I have tried to see if i can fix it on the transtats side, but to no avail, and have not recieved a response from upstream.
Going to close as cannot fix. feel free to reopen if there is anything more that can be done on the infra side.
Metadata Update from @ryanlerch: - Issue close_status updated to: Will Not/Can Not fix - Issue status updated to: Closed (was: Open)
thank you @kevin and @ryanlerch
this has been fixed upstream, and deployed.
Log in to comment on this ticket.