在SSL模式下在nginx后面运行时，带有Google的Omniauth和open_id损坏 [英] Omniauth and open_id with Google broken when running behind nginx in SSL mode

问题描述

Rails 3.0.12，最新的omniauth，我可以连接到Google并获取用户的电子邮件地址.但是，然后我以SSL模式在nginx后面运行了相同的Rails应用程序，但在Google页面上失败了:

Rails 3.0.12, newest omniauth, I can connect to Google and get the user's email address just fine. But then I run that same rails app behind nginx in SSL mode, and it fails with the Google page:

"The page you requested is invalid."

这是我的Nginx配置吗?我的omniauth设置?

我知道X-Forwarded-Proto: https是这里的特色，我还需要做其他事情来使openid在SSL Web服务器后面感到高兴吗?

I know the X-Forwarded-Proto: https is the special sauce here, is there anything else I need to do to get openid happy behind an SSL web server?

这是完整的示例代码:您可以克隆此仓库bundle install，然后运行rails s以查看其工作是否正常，然后运行rake server以查看其失败. https://github.com/jjulian/open_id_ssl

Here's the full example code: you can clone this repo, bundle install, and run rails s to see it work just fine, then run rake server to see it fail. https://github.com/jjulian/open_id_ssl

nginx.conf:

nginx.conf:

worker_processes  2;
pid        tmp/nginx.pid;
error_log  log/error.log;
daemon     off;

events {
}

http {
  client_body_temp_path tmp/body;
  proxy_temp_path       tmp/proxy;
  fastcgi_temp_path     tmp/fastcgi;
  uwsgi_temp_path       tmp/uwsgi;
  scgi_temp_path        tmp/scgi;

  server {
    listen 3000 ssl;
    ssl_certificate      development.crt;
    ssl_certificate_key  development.key;
    ssl_verify_depth     6;

    access_log log/access.log;
    proxy_buffering off;
    location / {
      proxy_pass        http://127.0.0.1:3300;
      proxy_set_header  X-Real-IP        $remote_addr;
      proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header  Host             $http_host;
      proxy_redirect    off;
      proxy_set_header  X-Forwarded-Proto https;
    }
  }
}

omniauth.rb初始化程序:

omniauth.rb initializer:

require 'openid/store/filesystem'

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :open_id, :identifier => 'https://www.google.com/accounts/o8/id'
end

routes.rb:

routes.rb:

OpenIdSsl::Application.routes.draw do
  match '/auth/open_id/callback' => 'accounts#update'
  match '/auth/failure' => 'accounts#failure'
  root :to => 'accounts#show'
end

更新:该示例使用了Rails 3.1.12和OmniAuth 1.0.3.升级到Rails 3.1.4和OmniAuth 1.1.0可以解决此问题.

UPDATE: This example used Rails 3.1.12 and OmniAuth 1.0.3. Upgrading to Rails 3.1.4 and OmniAuth 1.1.0 fixes the issue.

推荐答案

发现您的问题，我仍在尝试寻找更清洁的方法，但这是快速的&肮脏的修补程序:

Found your problem, I am still trying to find something cleaner but here is the quick & dirty fix:

将此添加到您的config/initializers/omniauth.rb中:

add this in your config/initializers/omniauth.rb:

class Rack::OpenID
  def realm_url(req)
    'https://localhost:3000'
  end
end

现在要说明一下:当rack-openid gem生成发送到google openid服务器的请求时，它会使用rails应用程序访问URL一次失败，而不是nginx一个(使用ssl的nginx)导致该失败发送到openid服务器:

And now for the explanation: when the rack-openid gem builds the request to send to the google openid server it fails in one spot using the rails application access url and not the nginx one (wich uses ssl) resulting in this being sent to the openid server:

openid.realm:http://localhost:3001
openid.return_to:https://localhost:3001/auth/open_id/callback

领域使用http url(rails url)，而return_to指向正确的https url(nginx)，当openid服务器看到它停止并返回错误时.

The realm use the http url (rails url) while the return_to points to the right https url (nginx), when the openid server sees this it stops and return an error.

PS:如果设法找到一种更干净的方法，我将编辑答案.

PS: I will edit the answer if I manage to find a cleaner way.

这篇关于在SSL模式下在nginx后面运行时，带有Google的Omniauth和open_id损坏的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！