google oauth 2.0 redirect_uri_mismatch (aws ec2 + route53 + nginx + uwgsi + flask + socketio)
google oauth 2.0 redirect_uri_mismatch (aws ec2 + route53 + nginx + uwgsi + flask + socketio)
每当我尝试在我的网站上使用 Google OAuth 2.0 时,我都会收到 redirect_uri_mismatch。我正在使用 aws ec2 + route53 + nginx + uwgsi + flask + socketio
授权重定向 URI:必须添加括号才能删除 link。
- (http)://例子。net/auth/oauth2callback
- (http)s://例子。net/auth/oauth2callback
- (http)://www.example.net/auth/oauth2callback
- (http)s://www.example.net/auth/oauth2callback
- (http)://localhost/auth/oauth2callback
- (http)s://localhost/auth/oauth2callback
我也添加了尾随“/”,但它似乎没有解决任何问题。我怀疑它是 nginx 服务器设置问题或 nginx -> uwsgi -> flask 之间的某些连接问题,因为 google 的错误页面告诉我的重定向 uri 与我放入 Google 的 URI 完全匹配的 OAuth 设置。
这是我的 nginx 服务器配置:
server {
listen 80;
server_name www.example.net;
return 301 http://example.net;
}
server {
listen 80;
server_name example.net;
return 301 https://example.net;
}
server {
listen 443;
server_name example.net;
ssl on;
ssl_certificate /certs.pem;
ssl_certificate_key /private.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers BLANK;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /dhparam.pem;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
client_max_body_size 5M;
location / {
include uwsgi_params;
uwsgi_pass unix:/filename.sock;
}
}
我查阅了很多与此相关的文档。大多数人使用代理并且必须在服务器配置中添加一些行来处理这个问题,但由于我没有使用代理,我相信我不必在我的配置中添加任何这些。 (为了以防万一,我尝试了一些解决方案,但他们似乎仍然无法解决问题。)
在不使用 nginx 和 uwsgi 的情况下,我能够让 OAuth 功能在本地主机上运行。
提前致谢!
编辑--
@TarunLalwani 好的,所以我使用 proxy_pass 让它完成了一半。通过仅添加 proxy_pass 而不添加任何其他内容,我可以进入 Google OAuth 登录页面。但是一旦我授权登录,它会将用户重定向回 127.0.0.1:5000(这是我为 proxy_pass 设置的)。我想我必须做一些反向代理设置。我在 proxy_pass 之后的位置块中添加的内容是:
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
现在反向代理似乎可以工作了,因为 OAuth 又被破坏了。但是 OAuth 2.0 将用户重定向到 http:example.net/auth/oauth2callback 而不是 http:127.0.0.1:5000/auth/oauth2callback
我通过逐行添加每个命令行并重新启动服务器来进行测试。
在添加 proxy_set_header Host $host; 之前,我会得到 http://127.0.0.1:5000/auth/oauth2callback 作为重定向 uri,当我添加该行时,我会得到 http://example.net/auth/oauth2callback 。也许 OAuth 被破坏的原因是因为用户正在获取重定向到 http://example.net/auth/oauth2callback 而不是 https://example.net/auth/oauth2callback ?
编辑 2 --
通过 curl -v https://example.net/auth/oauth2callback 我得到以下信息:
* Trying my.ip...
* Connected to example.net (my.ip) port 443 (#0)
* found 173 certificates in certs
* found 696 certificates in certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: example.net (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=example.net
* start date: Sun, 10 Sep 2017 22:18:00 GMT
* expire date: Sat, 09 Dec 2017 22:18:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /auth/oauth2callback HTTP/1.1
> Host: feelsbadman.net
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 302 FOUND
< Server: nginx/1.10.3 (Ubuntu)
< Date: Tue, 12 Sep 2017 07:32:36 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 819
< Connection: keep-alive
< Location: https://accounts.google.com/o/oauth2/auth?client_id=myid-asdfasdfasdf.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Fexample.net%2Fauth%2Foauth2callback&scope=email&access_type=offline&response_type=code&include_granted_scopes=true
< Strict-Transport-Security: max-age=31536000
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Connection #0 to host example.net left intact
<p>You should be redirected automatically to target URL: <a href="https://accounts.google.com/o/oauth2/auth?client_id=myid-asdfasdfasdf.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Fexample.net%2Fauth%2Foauth2callback&scope=email&access_type=offline&response_type=code&include_granted_scopes=true">https://accounts.google.com/o/oauth2/auth?client_id=myid-asdfasdfasdf.apps.googleusercontent.com&redirect_uri=http://example.net/auth/oauth2callback&scope=email&access_type=offline&response_type=code&include_granted_scopes=true</a>.
您的网站 https://example.net and your return url is going as http://example.net/auth/oauth2callback 被拒绝了。
请确保发送到 google 的 return url 是 https://example.net/auth/oauth2callback 并且在授权重定向 URI
中设置相同
每当我尝试在我的网站上使用 Google OAuth 2.0 时,我都会收到 redirect_uri_mismatch。我正在使用 aws ec2 + route53 + nginx + uwgsi + flask + socketio
授权重定向 URI:必须添加括号才能删除 link。
- (http)://例子。net/auth/oauth2callback
- (http)s://例子。net/auth/oauth2callback
- (http)://www.example.net/auth/oauth2callback
- (http)s://www.example.net/auth/oauth2callback
- (http)://localhost/auth/oauth2callback
- (http)s://localhost/auth/oauth2callback
我也添加了尾随“/”,但它似乎没有解决任何问题。我怀疑它是 nginx 服务器设置问题或 nginx -> uwsgi -> flask 之间的某些连接问题,因为 google 的错误页面告诉我的重定向 uri 与我放入 Google 的 URI 完全匹配的 OAuth 设置。
这是我的 nginx 服务器配置:
server {
listen 80;
server_name www.example.net;
return 301 http://example.net;
}
server {
listen 80;
server_name example.net;
return 301 https://example.net;
}
server {
listen 443;
server_name example.net;
ssl on;
ssl_certificate /certs.pem;
ssl_certificate_key /private.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers BLANK;
ssl_session_cache shared:SSL:50m;
ssl_dhparam /dhparam.pem;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
client_max_body_size 5M;
location / {
include uwsgi_params;
uwsgi_pass unix:/filename.sock;
}
}
我查阅了很多与此相关的文档。大多数人使用代理并且必须在服务器配置中添加一些行来处理这个问题,但由于我没有使用代理,我相信我不必在我的配置中添加任何这些。 (为了以防万一,我尝试了一些解决方案,但他们似乎仍然无法解决问题。)
在不使用 nginx 和 uwsgi 的情况下,我能够让 OAuth 功能在本地主机上运行。
提前致谢!
编辑--
@TarunLalwani 好的,所以我使用 proxy_pass 让它完成了一半。通过仅添加 proxy_pass 而不添加任何其他内容,我可以进入 Google OAuth 登录页面。但是一旦我授权登录,它会将用户重定向回 127.0.0.1:5000(这是我为 proxy_pass 设置的)。我想我必须做一些反向代理设置。我在 proxy_pass 之后的位置块中添加的内容是:
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
现在反向代理似乎可以工作了,因为 OAuth 又被破坏了。但是 OAuth 2.0 将用户重定向到 http:example.net/auth/oauth2callback 而不是 http:127.0.0.1:5000/auth/oauth2callback
我通过逐行添加每个命令行并重新启动服务器来进行测试。
在添加 proxy_set_header Host $host; 之前,我会得到 http://127.0.0.1:5000/auth/oauth2callback 作为重定向 uri,当我添加该行时,我会得到 http://example.net/auth/oauth2callback 。也许 OAuth 被破坏的原因是因为用户正在获取重定向到 http://example.net/auth/oauth2callback 而不是 https://example.net/auth/oauth2callback ?
编辑 2 --
通过 curl -v https://example.net/auth/oauth2callback 我得到以下信息:
* Trying my.ip...
* Connected to example.net (my.ip) port 443 (#0)
* found 173 certificates in certs
* found 696 certificates in certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: example.net (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=example.net
* start date: Sun, 10 Sep 2017 22:18:00 GMT
* expire date: Sat, 09 Dec 2017 22:18:00 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /auth/oauth2callback HTTP/1.1
> Host: feelsbadman.net
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 302 FOUND
< Server: nginx/1.10.3 (Ubuntu)
< Date: Tue, 12 Sep 2017 07:32:36 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 819
< Connection: keep-alive
< Location: https://accounts.google.com/o/oauth2/auth?client_id=myid-asdfasdfasdf.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Fexample.net%2Fauth%2Foauth2callback&scope=email&access_type=offline&response_type=code&include_granted_scopes=true
< Strict-Transport-Security: max-age=31536000
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
* Connection #0 to host example.net left intact
<p>You should be redirected automatically to target URL: <a href="https://accounts.google.com/o/oauth2/auth?client_id=myid-asdfasdfasdf.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Fexample.net%2Fauth%2Foauth2callback&scope=email&access_type=offline&response_type=code&include_granted_scopes=true">https://accounts.google.com/o/oauth2/auth?client_id=myid-asdfasdfasdf.apps.googleusercontent.com&redirect_uri=http://example.net/auth/oauth2callback&scope=email&access_type=offline&response_type=code&include_granted_scopes=true</a>.
您的网站 https://example.net and your return url is going as http://example.net/auth/oauth2callback 被拒绝了。
请确保发送到 google 的 return url 是 https://example.net/auth/oauth2callback 并且在授权重定向 URI
中设置相同