I have…
- [X] Checked the logs and have provided the logs if I found something suspicious there
I’m submitting a…
- [ ] Regression (a behavior that stopped working in a new release)
- [X] Bug report
- [ ] Performance issue
- [ ] Documentation issue or request
Current behavior
With Squidex running on HTTP only, behind a reverse proxy (nginx) that is managing an SSL connection for it, the Squidex Login popup is displaying an error:
“Operation failed, invalid redirect_uri”.
The AllowedRedirectUris variable is showing only HTTP versions of the urls and not the HTTPS versions.
I have included X-Forwarded-For and X-Forwarded-Proto headers from nginx, but it does not look like you are using the ForwardedHeaders middleware.
Expected behavior
Login popup to appear and allow login using a local admin account
Minimal reproduction of the problem
nginx with config for SSL, include X-Forwarded headers
squidex running http only - not running in Developer mode
Environment
- [ ] Self hosted with docker
- [ ] Self hosted with IIS
- [X] Self hosted with other version
- [ ] Cloud version
Version: [VERSION]
4.4 hosted in Kestrel
Browser:
- [X] Chrome (desktop)
- [ ] Chrome (Android)
- [ ] Chrome (iOS)
- [ ] Firefox
- [ ] Safari (desktop)
- [ ] Safari (iOS)
- [ ] IE
- [ ] Edge
Others:
You just have to configure the URLS__BASEURL setting with https. The URLS are generated outside of a http request context when the application starts, therefore the additional config is needed.
I thought I was doing that in the appsettings.json file…
{
"mode": {
/*
* Use this flag to set Squidex to readonly, e.g. when you deploy a second instance for migration.
*/
"isReadonly": false
},
"urls": {
/*
* Set the base url of your application, to generate correct urls in background process.
*/
"baseUrl": "https://squidex.mydomain.net",
/*
* Set it to true to redirect the user from http to https permanently.
*/
"enforceHttps": false
},
Yes, are you sure this works properly in your case? Because the URL generation uses this.
It isnt working as expected, here is the log…
“logLevel”: “Information”,
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: “message”: “{\n \u0022ClientId\u0022: \u0022squidex-frontend\u0022,\n \u0022ClientName\u0022: \u0022squidex-frontend\u0022,\n \u0022AllowedRedirectUris\u0022: [\n \u0022http://squidex.dev-evetsitesv4.net/login;\u0022,\n \u0022http://squidex.dev-evetsitesv4.net/client-callback-silent\u0022,\n \u0022http://squidex.dev-evetsitesv4.net/client-callback-popup\u0022\n ],\n \u0022SubjectId\u0022: \u0022anonymous\u0022,\n \u0022RequestedScopes\u0022: \u0022\u0022,\n \u0022Raw\u0022: {\n \u0022client_id\u0022: \u0022squidex-frontend\u0022,\n \u0022redirect_uri\u0022: \u0022https://squidex.dev-evetsitesv4.net/client-callback-popup\u0022,\n \u0022response_type\u0022: \u0022id_token token\u0022,\n \u0022scope\u0022: \u0022squidex-api openid profile email squidex-profile role permissions\u0022,\n \u0022state\u0022: \u0022e63f75894cd041f79c4ced053cd81034\u0022,\n \u0022nonce\u0022: \u002237e3a003cc1d48af9b9ac1fc913147c7\u0022,\n \u0022display\u0022: \u0022popup\u0022\n }\n}”,
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: “@validationDetails”: “{\n \u0022ClientId\u0022: \u0022squidex-frontend\u0022,\n \u0022ClientName\u0022: \u0022squidex-frontend\u0022,\n \u0022AllowedRedirectUris\u0022: [\n \u0022http://squidex.dev-evetsitesv4.net/login;\u0022,\n \u0022http://squidex.dev-evetsitesv4.net/client-callback-silent\u0022,\n \u0022http://squidex.dev-evetsitesv4.net/client-callback-popup\u0022\n ],\n \u0022SubjectId\u0022: \u0022anonymous\u0022,\n \u0022RequestedScopes\u0022: \u0022\u0022,\n \u0022Raw\u0022: {\n \u0022client_id\u0022: \u0022squidex-frontend\u0022,\n \u0022redirect_uri\u0022: \u0022https://squidex.dev-evetsitesv4.net/client-callback-popup\u0022,\n \u0022response_type\u0022: \u0022id_token token\u0022,\n \u0022scope\u0022: \u0022squidex-api openid profile email squidex-profile role permissions\u0022,\n \u0022state\u0022: \u0022e63f75894cd041f79c4ced053cd81034\u0022,\n \u0022nonce\u0022: \u002237e3a003cc1d48af9b9ac1fc913147c7\u0022,\n \u0022display\u0022: \u0022popup\u0022\n }\n}”,
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: “app”: {
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: “name”: “Squidex”,
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: “version”: “4.4.0.0”,
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: “sessionId”: “98535b3b-43ad-4a62-8b1f-36a235047b75”
Aug 13 12:38:12 evsdevsqd01 squidex[18871]: }
As you can see, the AllowedRedirectUri is HTTP, and not HTTPS
I believe you. Can you check the very first log where Squidex prints out the config and ensure that base url is correct?
Thanks 
Indeed, even though I have it stated in my appsettings.json that the baseurl is “https”, on startup I am seeing
Aug 13 12:59:43 evsdevsqd01 squidex[24099]: "urls": "http://*:5000",
Aug 13 12:59:43 evsdevsqd01 squidex[24099]: "urls:baseurl": "http://squidex.dev-evetsitesv4.net",
Aug 13 12:59:43 evsdevsqd01 squidex[24099]: "urls:enablexforwardedhost": "False",
Aug 13 12:59:43 evsdevsqd01 squidex[24099]: "urls:enforcehttps": "False"
So, not really sure where it is picking that up from… as I dont have the non HTTPS url anywhere else in the file
You are also deploying development mode , I think…not sure, but usually it runs under port 80.
In my service file, I am using
Environment=ASPNETCORE_ENVIRONMENT=Production
Environment=ASPNETCORE_URLS=http://*:5000
But other than that, I have nothing else referencing that url. Is it possible that that _URLS env variable is causing a reset to the appsettings.json file ? If so, is it possible to redefine that in an env variable ?
1 Like
Actually, I rebooted the server and it is now picking up the baseurl path from the appsettings.json file.
Sorry for the bother Sebastian
1 Like