using ratpack-pac4j and Google2Client, the redirect uri is using http

[Josh Stratton]

I've gotten Oauth working locally running http://127.0.0.1 and adding http://127.0.0.1/callback?client_name=Google2Client to the Google whitelist.  I noticed a problem though when using this on on actual server using https.  When I try to go through the flow, the initial call to google is rejected because the redirect_uri isn't whitelisted.  It is, but only for https, which is what I want when not running locally.  

For example, if I'm on https://www.example.com and pac4j builds the redirect_uri, why does it use http://www.example.com/... as the redirect uri using http instead of https?  

[Jérôme LELEU]

Hi,

The redirect URI is the callback URL with an additional parameter (client_name): are you sure it's defined using HTTPS?

Thanks.

Best regards,

Jérôme

On Mon, Jun 25, 2018 at 5:48 AM, Josh Stratton <stratto...@gmail.com> wrote:

I've gotten Oauth working locally running http://127.0.0.1 and adding http://127.0.0.1/callback?client_name=Google2Client to the Google whitelist.  I noticed a problem though when using this on on actual server using https.  When I try to go through the flow, the initial call to google is rejected because the redirect_uri isn't whitelisted.  It is, but only for https, which is what I want when not running locally.  

For example, if I'm on https://www.example.com and pac4j builds the redirect_uri, why does it use http://www.example.com/... as the redirect uri using http instead of https?  

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Josh Stratton]

From https://www.mealsahead.xyz, the message I get from Google is below:

Error: redirect_uri_mismatch

The redirect URI in the request, http://www.mealsahead.xyz/callback?client_name=Google2Client, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: ...

I would expect that url in the message to be https://www.mealsahead.xyz/callback?client_name=Google2Client.  I'm probably doing something wrong on my side, but since I don't build this callback url myself (I believe Pac4j does), I was trying to work my way to back how that url is built.  

-Josh

[Jérôme LELEU]

Hi,

You're right: unlike other pac4j implementations, ratpack-pac4j computes the callback URL on its own using the public address. See: https://github.com/pac4j/ratpack-pac4j/blob/master/src/main/java/ratpack/pac4j/internal/Pac4jAuthenticator.java#L95

Thanks.

Best regards,

Jérôme

[Josh Stratton]

Thanks, Jerome.  I did some digging and see I can set the public address at app start when configuring the ratpack server...

        RatpackServer.start(server -> server 

            .serverConfig(configBuilder -> configBuilder

                .findBaseDir()

                .publicAddress(buildPublicAddress())

            )

I'll need to find an elegant way to do this as I don't want to reimplement all the default logic the InferringPublicAddress is providing (which is working correctly for local development).  This is a little tricky as it seems like InferringPublicAddress only works at request time since it's inferred by the request, but the server hasn't started yet.  I'll try a few things and if I don't find a good solution I'll follow up on a ratpack forum.  

-Josh