Issue with OAuth redirect URI: http vs https mismatch

[alexwennerberg]

Issue Summary

I'm following this guide: https://redash.io/help/open-source/admin-guide/google-developer-account-setup

To set up Redash on my server, which is running on docker compose via the Google Compute Engine instances that Redash provides on their website. I configured HTTPS according to this guide: https://gist.github.com/arikfr/64c9ff8d2f2b703d4e44fe9e45a7730e and I am setting up OAuth through Google

Steps to Reproduce

1. Follow this guide exactly: https://redash.io/help/open-source/admin-guide/google-developer-account-setup
2. Try and log in via OAuth

I received this error:

Error 400: redirect_uri_mismatch

The redirect URI in the request, http://[domain].com/oauth/google_callback, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: [URL]

My suspicion is that the redirect URI that redash provides is http, whereas the redirect URI that the Redash guide has my type into Google is https. This error vanished after I changed the authorized URL for my OAuth Client to the http url, however I received a different error, an Internal Server Error in the Redash app and, in the logs, OAuthException: Invalid response from google. Not sure if this is an unrelated issue, but this http/https change is inconsistent with the Google OAuth docs at the very least.

Technical details:

• Redash Version: 5.0.2
• Browser/OS: Firefox / Debian 10
• How did you install Redash: See above

[Gitii]

I had a similar issue (https is required, got http -> oauth failed).
There has been an issue filed for this (http+saml using reverse proxy). The described solution was to include certain http headers to inform redash that the external scheme is https.
Did not work for me though.
I patched saml.py to use https for the scheme and that worked.

[arikfr]

@alexwennerberg sounds like the nginx doesn't pass the correct protocol to the Python code. Can you try changing line 61 in nginx.conf from:

proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

to:

proxy_set_header X-Forwarded-Proto $scheme;

[alexwennerberg]

@arikfr Thanks! After I did that, it got past the first error, but I encountered another error after attempting to authenticate:

Internal Server Error

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

This is the same as the OAuthException: Invalid response from google error I mentioned above

[alexwennerberg]

This issue had to do with me copy/pasting the client ID incorrectly. Issue was resolved and unrelated to Redash.

[zhongshaoming1]

Thanks master!

[arikfr]

This is not related to the issue, but I assume that the issue author or followers might have SAML enabled for their deployment and should be aware of the following Security Advisory: #5961. This affects all Redash versions and should be patched immediately.