mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-16 13:20:06 -05:00
OpenID Connect Login navigating to 404 (Wrong endpoint) #2834
Closed
opened 2025-11-02 04:50:15 -06:00 by GiteaMirror
·
13 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#2834
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @uncled1023 on GitHub (Jan 28, 2019).
[x]):Nothing interesting in the logs
Description
After setting up an OpenID Connect authentication source, and clicking the 'Sign In with OpenID Connect' button, the page then goes to a 404 page, with the url being what seems to be the authorize endpoint, but appended to the current domain.
My thoughts is that since my openId provider has the same domain but different subdomain as my hosted gitea instance, that gitea is just taking the endpoint and appending it to it's current url.
URL for login button: https://git.teknik.io/user/oauth2/TeknikIdentity
URL after clicking login: https://git.teknik.io/connect/authorize?client_id=&redirect_uri=https%3A%2F%2Fgit.teknik.io%2Fuser%2Foauth2%2FTeknikIdentity%2Fcallback&response_type=code&scope=openid&state=<state_guid>
Here's my current config: https://p.teknik.io/gKeh8
I did try to set it up via a locally ran Gitea instance, and it worked just fine.
Screenshots
@uncled1023 commented on GitHub (Feb 2, 2019):
So I was able to duplicate it while debugging, and followed it to https://github.com/go-gitea/gitea/blob/master/modules/auth/oauth2/oauth2.go#L83 where it passed the correct URL into the http.Redirect function. At that point, I was unable to follow it anymore, but the resulting response had the location header with the incorrect URL. So I suspect something within GO's HTTP.Request() is altering the URL.
@zeripath commented on GitHub (Feb 2, 2019):
Could you try a
curl -I --path-as-isjust to check that it's definitely not being changed by the browser.@uncled1023 commented on GitHub (Feb 2, 2019):
Try that on the expected URL? (https://auth.teknik.io/connect/authorize)Sorry, you meant the entry link for the OAuth.
Here are the results:
Looks like it's not the browser.
@uncled1023 commented on GitHub (Feb 2, 2019):
Here is the same command, ran from the same terminal, but pointing at localhost.
@zeripath commented on GitHub (Feb 2, 2019):
Ok. So you say it definitely passed the correct URL into http.Redirect? (You've definitely got it logged to Stdout?)
Another thing to check is that the response isn't proxied in some way so that it's not being wrapped.
Presumably, you're sitting Gitea behind a proxy is there any way it's munging the URL? I don't know if it's possible to stick some logging in there?
@zeripath commented on GitHub (Feb 2, 2019):
Sorry just saw your reply. Are you running that localhost command on your git.teknik.io box?
Presuming you're running Gitea behind a proxy it would be helpful to see what comes out from Gitea before it gets to the proxy.
@uncled1023 commented on GitHub (Feb 2, 2019):
Yea, i'm positive it's passing the correct URL into http.Redirect()
And yea, i'm running that localhost command on the git.teknik.io box (as well as the original one).
Gitea is running being IIS which is doing a URL rewrite to inbound requests.
Maybe it's something IIS is doing?
@zeripath commented on GitHub (Feb 2, 2019):
I think at this point blaming Microsoft is reasonable.
I have never configured IIS - so I think we're at the limit of my usefulness.
I bet it's something to do with it doing a reverse DNS lookup and then rewriting the host. You probably need to specifically allow Gitea to redirect to auth and turn off rewrites to those URLs. Reply with your fix though because it may be helpful for others and we consider adding something to the docs but I think I'll mark this issue invalid as the problem is not in Gitea.
@uncled1023 commented on GitHub (Feb 2, 2019):
I agree. I'll dig into the rewrite rules and see what I can come up with.
@uncled1023 commented on GitHub (Feb 2, 2019):
Well that was faster than I thought. After looking at the Failed Request logs to see exactly what it did, it turns out the Application Request Routing was changing the Location Header on it's way out. So I went into the configuration for the ARR, and lo and behold, there is a setting called 'Reverse rewrite host in response headers'. Switching that off allowed the URL to come through unaltered.
@zeripath commented on GitHub (Feb 2, 2019):
Lol. Ok, I guess a troubleshooting docs addition might be helpful? If you could either put the change in here or make a PR we can get it in?
@uncled1023 commented on GitHub (Feb 2, 2019):
I'll write something up and make a PR
@zeripath commented on GitHub (Feb 2, 2019):
Cool. Ok I'll close this issue.