OAuth URL generation issue when reverse proxy from HTTP to HTTPS

[ArlindoFNeto]

When the plugin is used in an HTTP environment that is later converted to HTTPS (e.g. commonly used in container reverse proxies), the generated OAuth URL remains in HTTP, causing the "redirect_uri_mismatch" error. This happens because the method $this->getCurrentURL() returns the current URL as HTTP.

Since Google no longer allows the registration of OAuth URLs using HTTP, this behavior prevents proper integration. To ensure compatibility and security, the plugin should always return the URL as HTTPS.

The proposed solution is to change the file inc/provider.class.php in two places (here and here)

from
'redirect_uri' => $this->getCurrentURL(),
to
redirect_uri' => str_replace("http://", "https://", $this->getCurrentURL()),

Maybe this is not the best fix, but it works for me! :-)

[eduardomozart]

Hello, Arlindo. Writing on English just to help other users out there. Did you tried to change the "Application URL" settings on Setup > General on GLPI to use HTTPS? I don't think that enforcing HTTPS is a good option to the plugin, as some provider may still use/accept HTTP or the GLPI instance of the user doesn't support HTTP (I know that it's obligatory for Google/Microsoft, but other providers may not enforce it). You may need to setup the HTTP header HTTP_X_FORWARDED_PROTO into your reverse proxy to the URL be properly handled as HTTPS.

[ArlindoFNeto]

Hi @eduardomozart, GLPI runs entirely over HTTPS, including the "Application URL" in Setup -> General. However, I suspect that the "Application URL" is used to control GLPI's base URLs, while $this->getCurrentURL() retrieves the URL inside Docker without HTTPS, since HTTPS is handled by the Reverse Proxy outside the GLPI Docker container.

But you gave me an insight, maybe the fix is to modify the plugin to avoid using $this->getCurrentURL() and instead use the Application URL.

[eduardomozart]

@ArlindoFNeto consegue testar o #103 pra ver se resolve seu problema? Certifique-se de que a "URL do aplicativo" está configurada em Configurar > Geral.

Can you test #103 to see if it solves your problem? Please make sure that "Application URL" is set into Setup > General.

[ArlindoFNeto]

Hi @eduardomozart, I think there is an error in selecting the provider. The login page button points to /plugins/singlesignon/front/callback.php/provider/Array, but in my case, the correct path should be /plugins/singlesignon/front/callback.php/provider/1. However, the issue might be related to the version. I'm using the Docker image diouxx/glpi (ID: 08472c90fa20) and just replaced the four files modified in #103. Sorry for the delay!

[eduardomozart]

Hello @ArlindoFNeto, we released the version 1.4.0 of the plug-in, please upgrade to it and check if it fixes your issue. If not, please let me know.

[ArlindoFNeto]

@eduardomozart, works like a charm! 😃