Google Auth issue - "Message from google_oauth2: csrf_detected"

  • Used Zammad version: 3.4x
  • Used Zammad installation source: docker
  • Operating system: Ubuntu 20.04.1 LTS
  • Browser + version: Firefox Developer Edition (latest) + Vivaldi (latest)

Expected behavior:

  • Authenticate with Google

Actual behavior:

  • I get an error saying:
    422: The change you wanted was rejected.
    Message from google_oauth2: csrf_detected

Steps to reproduce the behavior:

  • Setup google authentication

My environment is locked down (only 1 public ip available) so I’m forced to use this configuration. I have a Debian 9 server that is public-facing with a public IP. It is running the latest version of Nginx and is proxy passing the configuration over to the internal-only zammad server. The configuration on this server:

server {
        server_name support.mydomain.com;
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/support.mydomain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/support.mydomain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        access_log /var/log/nginx/support_access_log;
        error_log /var/log/nginx/support_error_log;


        location / {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass http://10.222.2.38/;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
                proxy_set_header Host $http_host;
                proxy_cache_bypass $http_upgrade;
                proxy_set_header X-Base-Path /search;
                proxy_read_timeout 100000;
                proxy_send_timeout 100000;
                proxy_connect_timeout 100000;
                send_timeout 100000;
                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto  $scheme;
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
                add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
        }
}



server {
        if ($host = support.mydomain.com) {
                return 301 https://$host$request_uri;
        } # managed by Certbot

        listen 80;
        server_name support.mydomain.com;
        return 404; # managed by Certbot
}

This passes over to the Zammad Docker container NGINX. With this configuration, I have two questions.

  1. Can I avoid the preconfigured nginx container and use my public server’s nginx to connect directly to the server’s rails and websocket? I haven’t been able to get the ports to be exposed to do this. I tried forwarding iptables, etc, no luck. I hate the idea of two nginx servers being proxy passed.
  2. With the two proxy servers, what do I need to do to get the correct IP addresses reported rather than my public server’s internal ip? I’m only seeing the server IP in the logs.

The public server is using letsencrypt for the front end stuff. The internal servers are using plain http.

Any guidance would be great. This will help our school district a lot with handling student/parent issues (rather than our current way: email… yuck)

Edit: When I try to add Google as a channel I get the error:

500: We’re sorry, but something went wrong.

I’m not sure where to see logs for docker.

Hello,

I eliminated Docker and used iptables to forward to ports 3000 and 6024 and I have nginx working flawlessly the way I expected. I was able to add the Google channel. However, when I login with Google I get the error:

I, [2020-09-15T18:54:29.207604 #2296-47110537067580] INFO – : Started GET “/auth/google_oauth2/callback?state=4bda901134d8eb7cbe0d6be962c70bce9be1127544f25f32&code=[FILTERED]&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=mydomain.com&prompt=none” for 10.1.1.254 at 2020-09-15 18:54:29 +0000
I, [2020-09-15T18:54:29.213617 #2296-47110537067580] INFO – : (google_oauth2) Callback phase initiated.
F, [2020-09-15T18:54:29.384790 #2296-47110537067580] FATAL – :
F, [2020-09-15T18:54:29.384963 #2296-47110537067580] FATAL – : JWT::InvalidIatError (Invalid iat):
F, [2020-09-15T18:54:29.385015 #2296-47110537067580] FATAL – :

My environment blocks NTP. I had to re-configure the servers NTP servers and after I did this, Google started working.

1 Like

Glad you could solve all of your issues?
If I’ve overseen something and you still have issues, please let us know. :slight_smile: