oauth2-credentials unauthorized

[enoksaju]

Bug Description

i try to connect to with google apis, but when i confirm the callback return this json

{"status":"error", "message": "Unauthorized"}

the url is:

/rest/oauth2-credential/callback?

To Reproduce

1. Add new Google Api Credential
2. try to connect
3. when confirm auth, this json is showed

Expected behavior

a valid update on credentials

Operating System

Ubuntu 20.04

n8n Version

next

Node.js Version

docker

Database

SQLite (default)

Execution mode

main (default)

[Joffcom]

Hey @enoksaju,

Do you have the correct url set in the Google application?

Can you also confirm the exact version of n8n you are using as next is a tag and changes.

[enoksaju]

Do you have the correct url set in the Google application?

yes, this worked before latest update

the version is 1.37.1

[netroy]

@enoksaju can you also please share the version this was earlier working on? That might help narrow down the change that might be causing this issue.

[enoksaju]

@enoksaju can you also please share the version this was earlier working on? That might help narrow down the change that might be causing this issue.

working version 1.34.2

i try to pull docker compose to that version, but when access to credentials endpoint this not load nothing and on console show a errors

[enoksaju]

also, important thing, after json error is showed, all page not workign and when i reload page this show login page and i need to login again

[enoksaju]

i read about this: #9031 (comment), maybe this cause the issue

#9031

[netroy]

when i reload page this show login page and i need to login again

This is likely being caused by #9057
Are you by any chance using Firefox with the multi-account containers extension?

The login screen is showing because somewhere in the auth flow a rest-api call is being made from a context that does not have the correct permission to make this api call, so the cookie is getting invalidated.

Unfortunately I'm unable to reproduce this locally, or on n8n cloud, with Firefox or Chrome.

[enoksaju]

when i reload page this show login page and i need to login again

This is likely being caused by #9057 Are you by any chance using Firefox with the multi-account containers extension?

The login screen is showing because somewhere in the auth flow a rest-api call is being made from a context that does not have the correct permission to make this api call, so the cookie is getting invalidated.

Unfortunately I'm unable to reproduce this locally, or on n8n cloud, with Firefox or Chrome.

Maybe, i think issue is with browserid and nodesAccess property, was removed on new versions

[hermanekt]

Same problem on version 1.37.1 with Linkedin and Microsoft Outlook OAuth2 API. After hiting "Connect my account" , my session is disconnected. Same acting is for direct visiting /rest/oauth2-credential/callback.

[netroy]

I think I know what the issue might be.
The callback urls need to be excluded from the new session-hijacking check (until we have a better way to check for urls like these). Still not sure why this isn't failing locally or on cloud instances.
Will send a PR soon after a bit of testing.

[hermanekt]

Thanks @netroy for quick response and quick workaround.

This also maybe can help: (Our proxy settings with apache we are adding IP Header)

RemoteIPHeader CF-Connecting-IP

ProxyPass / http://192.168.XX.XX:5678/ 
ProxyPassReverse / http://192.168.XX.XX:5678/

#Websocket HTTP Upgrade
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://192.168.XX.XX:5678/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://192.168.XX.XX:5678/$1 [P,L]

[netroy]

We'll release patch release for 1.37 and 1.38 tomorrow morning (CET).

[enoksaju]

We'll release patch release for 1.37 and 1.38 tomorrow morning (CET).

i add the change manually on the docker files at this path: /usr/local/lib/node_modules/n8n/dist/auth/auth.service.js

then i restart docker and still the issue

[enoksaju]

mybe issue is with browserid validation, i comment this lines to exclude browser id validation and now is working

[enoksaju]

i see, req.baseUrl return /rest/oauth2-credential instead of /rest/oauth2-credential/callback

[enoksaju]

fixed with this @netroy @Joffcom :

const skipBrowserIdCheckEndpoints = [
        `/${restEndpoint}/push`,
        `/${restEndpoint}/binary-data`,
        `/${restEndpoint}/oauth2-credential`,
        `/${restEndpoint}/oauth1-credential`,
];

[netroy]

Fix released in 1.37.3 and 1.38.1.

[danielpsf-grover]

I have the same issue, with Slack OAUTH2 flow, even in the most recent version. 😢

[netroy]

@danielpsf-grover I've been trying to reproduce this with no luck so far.
Is it possible that maybe you have a reverse-proxy in the front that is modifying urls or requests?