9

I'm working on a rails app that authenticates using Bungie OAuth using this gem. My configurations in initializers/devise.rb are as follows:

config.omniauth :bungie, ENV['CLIENT_ID'], ENV['CLIENT_SECRET'], ENV['X_API_KEY'], ENV['REDIRECT_URL']

Bungie's developer portal requires a redirect URL with HTTPS, so I've pushed my application to Heroku and used a redirect to force authentication back to localhost for testing. Using this method, everything works fine. However, when I push the app to production, the response back to my application from Bungie fails with OAuth2::Error, invalid_request: redirect_uri does not match application configuration. The redirect_url is the exact same thing in both my application's env variables and on Bungie's development portal.

Seeing as it's in production, I'm limited to the logs that I can see. I've tried tracking the requests in the network tab of the dev tools in my browser, but everything looks as it should.

I've tried working with the developer of the bungie-oauth2 gem, but we have not been able to come to a resolution (and his prod apps work fine with it).

Is there anything that might cause the redirect_url to differ once in Heroku?

As requested, here is my route for omniauth:

devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" }

Output from rake routes:

 users_sign_out GET      /users/sign_out(.:format)             devise/sessions#destroy
          new_user_session GET      /users/sign_in(.:format)              devise/sessions#new
              user_session POST     /users/sign_in(.:format)              devise/sessions#create
      destroy_user_session DELETE   /users/sign_out(.:format)             devise/sessions#destroy
user_bungie_omniauth_authorize GET|POST /users/auth/bungie(.:format)          users/omniauth_callbacks#passthru
user_bungie_omniauth_callback GET|POST /users/auth/bungie/callback(.:format) users/omniauth_callbacks#bungie
         new_user_password GET      /users/password/new(.:format)         devise/passwords#new
        edit_user_password GET      /users/password/edit(.:format)        devise/passwords#edit
             user_password PATCH    /users/password(.:format)             devise/passwords#update
                           PUT      /users/password(.:format)             devise/passwords#update
                           POST     /users/password(.:format)             devise/passwords#create
  cancel_user_registration GET      /users/cancel(.:format)               devise/registrations#cancel
     new_user_registration GET      /users/sign_up(.:format)              devise/registrations#new
    edit_user_registration GET      /users/edit(.:format)                 devise/registrations#edit
         user_registration PATCH    /users(.:format)                      devise/registrations#update
                           PUT      /users(.:format)                      devise/registrations#update
                           DELETE   /users(.:format)                      devise/registrations#destroy
                           POST     /users(.:format)                      devise/registrations#create

and my controller:

def bungie
  @user = User.from_omniauth(request.env["omniauth.auth"])

  if @user.persisted?
    @user.remember_me = true
    sign_in_and_redirect @user, :event => :authentication
  else
    session["devise.bungie_data"] = request.env["omniauth.auth"]
    redirect_to root_path
  end
end

Full source can be found at https://github.com/destiny-aviato/destinder.

Luminusss
  • 571
  • 1
  • 6
  • 27
  • Redirect uri should have the same domain/origin as url of the original request. Often oauth provider requires you to set site url when you register oauth application (facebook/ google etc). So redirect uri should match it too. Please check them all – andrykonchin Aug 12 '17 at 09:08
  • Yeah as I mentioned in the post The redirect_url is the exact same thing in both my application's env variables and on Bungie's development portal. – Luminusss Aug 12 '17 at 17:34
  • does request url match url of your site? same protocol (http/https), same domain? – andrykonchin Aug 13 '17 at 16:26
  • Could you share omniauth relevant lines of your routes.rb of Rails application and redirect_url set in Bungie's developer portal. – Ahmet Aygun Aug 13 '17 at 20:48
  • @AhmetAYGÜN I added all the relevant omniauth code for you. My callback url is `https://destinder.herokuapp.com/users/auth/bungie/callback` in both the heroku config variables and on the developer portal for bungie. I've even tried setting it directly in devise.rb and not using an env variable and that still doesn't work. – Luminusss Aug 14 '17 at 13:57
  • Add `Rails.logger.info "Received OAUTH request, sending redirect_uri with value: #{ENV['REDIRECT_URL']}"` to your controller action. This way you can push to production in Heroku, then review your logs after you perform the integration to ensure that the value is being appropriately set at runtime. – anothermh Aug 14 '17 at 23:21
  • @anothermh I added it but it never got hit, so I added it to my failure method and this is the output which looks exactly right: `Received OAUTH request, sending redirect_uri with value: https://destinder.herokuapp.com/users/auth/bungie/callback`. I tried logging `request.env["omniauth.auth"]` as well to see what the output was, and on production it didn't even return anything. – Luminusss Aug 15 '17 at 03:26
  • @xTopShelfx Then you need to share more of your code, including your routes. If your callback URI is never accessed then you've got something misconfigured. – anothermh Aug 15 '17 at 22:09
  • @anothermh not sure what else to share that's omniauth related I already included my routes in the post. I'll add my actual routes but let me know what else you would like to see. As I mentioned, this works just fine in development, I'm thinking it may be an issue with heroku? – Luminusss Aug 16 '17 at 23:52
  • Do you check your environment variables? Maybe environment variables are missing. – Weibo Chen Aug 17 '17 at 04:34

2 Answers2

4

Encoding of redirect_uri param in your auth request to bungie jumps out:

https%25253A%25252F%25252Fdestinder.herokuapp.com%25252Fusers%25252Fauth%25252Fbungie%25252Fcallback

To read it in plain, I had to decode it thrice. Normally params are encoded just once

URI.decode(URI.decode(URI.decode("https%25253A%25252F%25252Fdestinder.herokuapp.com%25252Fusers%25252Fauth%25252Fbungie%25252Fcallback")))

Not sure if this is what causing the issue. Can you check how many times request_uri gets encoded when you hit it from local. If it's less than 3, then during heroku deployment your request_uri gets encoded one extra time.

To get request_uri for local, logout from bungie, click on "Sign in with bungie" on your local. The url in browser would have request_uri.

Vijay Agrawal
  • 1,643
  • 12
  • 17
  • Thanks! I am actually seeing the opposite though, on Heroku I only need to decode it twice, while on local I need to decode it three times. – Luminusss Aug 17 '17 at 13:36
  • Either ways, they both should be same. you might have some issue here. – Vijay Agrawal Aug 17 '17 at 14:57
  • Any ideas on how to resolve that on the prod side? Would that be something omniauth or the gem handles specifically? – Luminusss Aug 17 '17 at 15:11
  • Can you post the full bungie url for both when you hit it from local and heroku? – Vijay Agrawal Aug 17 '17 at 16:18
  • from heroku: `"https://www.bungie.net/en/OAuth/SignIn?client_id=20781&bru=%252fen%252foauth%252fauthorize%253fclient_id%253d20781%2526redirect_uri%253dhttps%25253A%25252F%25252Fdestinder.herokuapp.com%25252Fusers%25252Fauth%25252Fbungie%25252Fcallback%2526response_type%253dcode%2526state%253db6fa2283d6a8b7ffc426f47a7aae2abae986300e4184d6a5"` – Luminusss Aug 17 '17 at 17:58
  • Look same to me – Vijay Agrawal Aug 17 '17 at 18:27
  • local: `"https://www.bungie.net/en/OAuth/SignIn?client_id=13736&bru=%252fen%252foauth%252fauthorize%253fclient_id%253d13736%2526redirect_uri%253dhttps%25253A%25252F%25252Fglacial-savannah-28014.herokuapp.com%25252Fusers%25252Fauth%25252Fbungie%25252Fcallback%2526response_type%253dcode%2526state%253ddc5b35312d4a3931cf0e59a18bac2ab186171214951fc509"` – Luminusss Aug 17 '17 at 18:36
  • Sorry, added the same one twice. Note that the redirect is different because I need another redirect back to localhost in order to get around https requirements – Luminusss Aug 17 '17 at 18:37
  • looks like false alarm, encoding in both url is same. – Vijay Agrawal Aug 17 '17 at 20:33
  • If I were you I would add your localhost bungie settings(client_id, url etc) to heroku app. Change `glacial-savannah-‌​28014.herokuapp.com` to redirect to `heroku` instead of localhost and expect everything to work. If everthing works then the issue is with setup of client `20781` – Vijay Agrawal Aug 17 '17 at 20:39
-1

replace redirect url of your Heroku application in credential

bk chovatiya
  • 343
  • 2
  • 8