Google OAuth issue with HTTPS

Infos:

  • Used Zammad version: 3.1.x
  • Used Zammad installation source: source
  • Operating system: CentOS 7
  • Browser + version: Chrome 75.0.3770.100, Safari 12.1.1

Expected behavior:

  • Login with Google and access correctly to Zammad home dashboard.

Actual behavior:

  • Instead of accessing home, an error page with 422: The change you wanted was rejected.

Steps to reproduce the behavior:

  • Login to Zammad with Google login vía https.

We are able to login with Google OAuth with http but once we activate https, we get the page with 422 error.
If we take a look to the logs we can see the following backend error:
FATAL – : ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)

If we try to connect vía Internet Explorer or Firefox 60.8 instead, Google login works. Is there any known issue or are we missing some configuration?
Thanks in advance for your help.

Did you change the endpoints of the Google App to HTTPs?
Especially when switching protocolls, that might the issue you have.

Also, check your tokens from google again (so ensure you’re using the right authentication)

I’m also observing this exact issue.

Zammad version: 3.1.x
Zammad installation source: zammad-docker-compose
Browser system: MacOS 10.14, 75.0.3770.142

Using Firefox works perfectly, Edge on Windows works, Chrome or Safari on Mac do not work, didn’t try using http only.

Where can I see any logs? I cannot find anything in /opt/zammad/log

Please let us know at what point ^^
Ensure to have no cached content from Zammad and, as written above, tell us where (on profile or logon page)

Upon clicking the “Google” button beneath “or sign in using”, the browser points to https://zammad_host/auth/google_oauth2 displaying error 422: The change you wanted was rejected. This happens in Chrome and Safari, both tested in incognito mode with a cleared browser cache.

Ah sorry I didn’t realize that this is a duplicate thread …
You might want to take a look into this thread: Google OAUTH2 results in 404

It partly might not apply to your docker construct, but basically sums up the issue(s).
It’s possible a migration didn’t finish successful so you might need to run that again.

Sorry, it’s been a while since I took a look at this. I don’t think the thread you linked applies to me.

Firstly, I am not getting a 404 error, I’m getting a 422 error.
Second, the file you mentioned (login.jst.eco) is up to date with the line you’ve highlighted
Third, the “Google” button is rendered properly as a form with action /auth/google_oauth2

I am using the docker-compose installation directly from https://github.com/zammad/zammad-docker-compose with no modification.

How do you communicate with the docker container?
Do you call it directly or do you proxy via nginx/apache to the rails container?

Edit: Please also provide log output of the moment you try ;3

The docker-compose file setups up an nginx server. I’m proxying to that with another nginx server where I have a letsencrypt cert that’s auto-updated by certbot. I’m guessing the issue may be in this configuration, but I’m not familiar enough with the system. Here’s a log from when the error occurs.

zammad-railsserver_1    | I, [2019-09-16T01:12:47.510961 #1-70286179710660]  INFO -- : Completed 200 OK in 25027ms (Views: 0.3ms | ActiveRecord: 2.3ms)
zammad-railsserver_1    | I, [2019-09-16T01:12:48.706280 #1-70286178133100]  INFO -- : Started POST "/auth/google_oauth2" for xxx.xx.0.1 at 2019-09-16 01:12:48 +0000
zammad-railsserver_1    | I, [2019-09-16T01:12:48.711927 #1-70286178133100]  INFO -- omniauth: (google_oauth2) Request phase initiated.
zammad-railsserver_1    | F, [2019-09-16T01:12:48.712703 #1-70286178133100] FATAL -- :   
zammad-railsserver_1    | F, [2019-09-16T01:12:48.712744 #1-70286178133100] FATAL -- : ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
zammad-railsserver_1    | F, [2019-09-16T01:12:48.712766 #1-70286178133100] FATAL -- :   
zammad-railsserver_1    | F, [2019-09-16T01:12:48.712790 #1-70286178133100] FATAL -- : omniauth-rails_csrf_protection (0.1.2) lib/omniauth/rails_csrf_protection/token_verifier.rb:34:in `call'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:209:in `request_call'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:188:in `call!'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:192:in `call!'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
zammad-railsserver_1    | omniauth (1.9.0) lib/omniauth/builder.rb:64:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/tempfile_reaper.rb:15:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/etag.rb:25:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/conditional_get.rb:38:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/head.rb:12:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/session/abstract/id.rb:232:in `context'
zammad-railsserver_1    | rack (2.0.7) lib/rack/session/abstract/id.rb:226:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/cookies.rb:670:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
zammad-railsserver_1    | activesupport (5.2.3) lib/active_support/callbacks.rb:98:in `run_callbacks'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
zammad-railsserver_1    | railties (5.2.3) lib/rails/rack/logger.rb:38:in `call_app'
zammad-railsserver_1    | railties (5.2.3) lib/rails/rack/logger.rb:28:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/request_id.rb:27:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/method_override.rb:22:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/runtime.rb:22:in `call'
zammad-railsserver_1    | activesupport (5.2.3) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
zammad-railsserver_1    | actionpack (5.2.3) lib/action_dispatch/middleware/executor.rb:14:in `call'
zammad-railsserver_1    | rack (2.0.7) lib/rack/sendfile.rb:111:in `call'
zammad-railsserver_1    | railties (5.2.3) lib/rails/engine.rb:524:in `call'
zammad-railsserver_1    | puma (3.12.1) lib/puma/configuration.rb:227:in `call'
zammad-railsserver_1    | puma (3.12.1) lib/puma/server.rb:660:in `handle_request'
zammad-railsserver_1    | puma (3.12.1) lib/puma/server.rb:474:in `process_client'
zammad-railsserver_1    | puma (3.12.1) lib/puma/server.rb:334:in `block in run'
zammad-railsserver_1    | puma (3.12.1) lib/puma/thread_pool.rb:135:in `block in spawn_thread'
zammad-railsserver_1    | logging (2.2.2) lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

Okay I can’t help you further with that, sorry.
Please ensure your proxy in front of the rails container is absolutely transparent!

You might want to fiddle arround with port exposing of the railsserver (See https://github.com/zammad/zammad-docker-compose/blob/master/containers/zammad/docker-entrypoint.sh for the ports (3000 and 6042)) which might help you out of your issues.

You might also have issues with websockets through two nginxes.
Also please note that you might want to check if the FQDN-Settings (and protocol) are correct within Zammad.

Again, this is not application based, but docker based which we can’t help you with. (at least I won’t, sorry)

I also have same issue in 3.1 with G Suite OAuth2.
Web server tried: Apache with default configuration and also reverse proxy apache > nginx. Both with same result.

I can see same “authenticity_token” parameter with equal value in POST form data and form input:

<input type="hidden" name="authenticity_token" value="OXYpqPiOn70bMX4uyfK0bmtD+8O7clTIgQbl2LgSHnVdtZxPgbqgECu28H3ICVJ5WfJRjwDxoUoqFUIQrN8kNQ==">

I, [2019-09-17T16:06:29.552884 #7891-47016919858460]  INFO -- : Started GET "/api/v1/online_notifications/?full=true&_=1568650566955" for 2a02:27a1:0:1::1 at 2019-09-17 16:06:29 +0300
I, [2019-09-17T16:06:29.561505 #7891-47016919858460]  INFO -- : Processing by OnlineNotificationsController#index as JSON
I, [2019-09-17T16:06:29.561574 #7891-47016919858460]  INFO -- :   Parameters: {"full"=>"true", "_"=>"1568650566955"}
I, [2019-09-17T16:06:29.587197 #7891-47016919858460]  INFO -- : Completed 200 OK in 26ms (Views: 7.3ms | ActiveRecord: 1.8ms)
I, [2019-09-17T16:06:33.480085 #7891-47016919858140]  INFO -- : Started POST "/auth/google_oauth2" for 2a02:27a1:0:1::1 at 2019-09-17 16:06:33 +0300
F, [2019-09-17T16:06:33.485745 #7891-47016919858140] FATAL -- :
F, [2019-09-17T16:06:33.485792 #7891-47016919858140] FATAL -- : ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
F, [2019-09-17T16:06:33.485832 #7891-47016919858140] FATAL -- :
F, [2019-09-17T16:06:33.539005 #7891-47016919858140] FATAL -- : vendor/bundle/ruby/2.5.0/gems/omniauth-rails_csrf_protection-0.1.2/lib/omniauth/rails_csrf_protection/token_verifier.rb:34:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:209:in `request_call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:188:in `call!'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:192:in `call!'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/strategy.rb:169:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/omniauth-1.9.0/lib/omniauth/builder.rb:64:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/tempfile_reaper.rb:15:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/etag.rb:25:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/conditional_get.rb:38:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/head.rb:12:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/session/abstract/id.rb:232:in `context'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/session/abstract/id.rb:226:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/cookies.rb:670:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/callbacks.rb:28:in `block in call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.3/lib/active_support/callbacks.rb:98:in `run_callbacks'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/debug_exceptions.rb:61:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/railties-5.2.3/lib/rails/rack/logger.rb:38:in `call_app'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/railties-5.2.3/lib/rails/rack/logger.rb:26:in `block in call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.3/lib/active_support/tagged_logging.rb:71:in `block in tagged'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.3/lib/active_support/tagged_logging.rb:28:in `tagged'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.3/lib/active_support/tagged_logging.rb:71:in `tagged'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/railties-5.2.3/lib/rails/rack/logger.rb:26:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/request_id.rb:27:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/method_override.rb:22:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/runtime.rb:22:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/activesupport-5.2.3/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/executor.rb:14:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/actionpack-5.2.3/lib/action_dispatch/middleware/static.rb:127:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/rack-2.0.7/lib/rack/sendfile.rb:111:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/railties-5.2.3/lib/rails/engine.rb:524:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/puma-3.12.1/lib/puma/configuration.rb:227:in `call'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/puma-3.12.1/lib/puma/server.rb:660:in `handle_request'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/puma-3.12.1/lib/puma/server.rb:474:in `process_client'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/puma-3.12.1/lib/puma/server.rb:334:in `block in run'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/puma-3.12.1/lib/puma/thread_pool.rb:135:in `block in spawn_thread'
[45d44153-b5c9-479b-accb-f8db9674a5da] vendor/bundle/ruby/2.5.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

Is the apache FQDN the same as it is within Zammad?

(you can check by rails r "p Setting.get('fqdn')" and rails r "p Setting.get('http_type')"

I solved my issue, it was a reverse-proxy configuration. I needed this line in my nginx config.

proxy_set_header X-Forwarded-Ssl on;

This github issue helped me out.

2 Likes

I was not able to check using command:

RAILS_ENV=production bin/ruby bin/rails r "p Setting.get('fqdn')" and rails r "p Setting.get('http_type')"

returns error
/opt/zammad/vendor/bundle/ruby/2.5.0/gems/pg-0.21.0/lib/pg.rb:56:in `initialize’: FATAL: Peer authentication failed for user “zammad” (PG::ConnectionBad)

Probably I need setup more env variables, so I simply checked in the database:

Yes:

Thank you! Fixed for me with
RequestHeader set X-Forwarded-Ssl on

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.