OAuth sign in

Hi,

I have a problem signing in into beemind.me in the last couple of days. Seems like something is wrong with the oauth flow. Everything on my end looks fine but I might be missing something. For some reason omniauth rejects the token I receive in the callback.
Here is a snippet from the log:

I, [2016-02-10T02:50:11.641143 #32255] INFO – : Started GET “/auth/beeminder/callback?code=bpxvtiart2i70gxv1axi1v0…&state=83bd03ad3c8e559f10c85c5953ae5c31077dd…” for X.X.X.X at 2016-02-10 02:50:11 +0000
I, [2016-02-10T02:50:11.891484 #32255] INFO – : Started GET “/auth/failure?message=invalid_credentials&origin=http%3A%2F%2Fbeemind.me%2F&strategy=beeminder” for X.X.X.X at 2016-02-10 02:50:11 +0000

Timestamps are in UTC timezone.

Thanks,
Gal

2 Likes

I didn’t think I was having this problem but it’s just because I was signed in the whole time. I tried signing out and sure enough, it won’t let me sign in. Yikes! @galtsubery, could you join us in our dev slack channel so we can debug together? (will email you link)

Sure

Hi Gal - I debugged this and the error I’m seeing is Parameter redirect_uri does not match registered URI. It looks like the redirect_uri you’re sending in has the params attached, e.g. https://beemind.me/auth/beeminder/callback?code=CODE&state=STATE - I believe you want to just send in https://beemind.me/auth/beeminder/callback and they should match.

2 Likes

Hi,

I also fixed a different problem yesterday, where using https:// to access beeminder lead to mismatch between configured app url (http://beemind.me) and users’ callback (https://beemind.me). This problem caused “wrong callback uri error” to be called from omniauth.
Is is possible you are looking at the wrong log lines?

I don’t have much control over the url sent. I am using omniatuh along beeminde-omniauth.
Do you think the cause of the problem is with those gems?

2 Likes

Hi Gal - I was basing this on the Beeminder server logs during my own attempts to sign in to beemind.me, so I think it’s unrelated to the http/https switch (but thanks for doing that!). It could be an issue with the beeminder omniauth strategy gem, but Urlminder is using that as well and seems to work okay… let me think about this some more.

1 Like

I’m starting to suspect it has to do with oauth2 library. It’s not trivial to downgrade that gem in the app as there is a mess of dependencies between all the oauth providers I use. Can you upgrade to oauth2 gem on Urlminder and see if you can still sign in?

The cause of the problem is omniauth-oauth2 gem behavior has changed between 1.3.1 and 1.4.0
In the later the gem sends the complete url, including the query string to the server when it tries to validate a token.
The other oauth providers I use: Google, Trello, Pocket and Quizlet don’t seem to have problem with the extra query string so it is possible beeminder’s api is not behaving according to some spec.
To reduce the likelihood of someone else encountering this problem, I opened up a pull request to make omniauth-beeminder gem depend on omniauth-oauth2 versions before 1.4.0.

3 Likes

Hi,
I login using google and for the past few days (perhaps couple of weeks) I need to authorize my google account every day (beeminder requests permission etc), even if I check the “remember me” box. Has anything changed with the google oauth? Should I just use a regular username and password? I am using Chrome (mobile works fine).

Thanks!
Giovanni

2 Likes

You’re referring to beemind.me, right? A few days ago I merged a pull request from @galtsubery which sounds like it might be related. (Btw, beemind.me is working fine for me.)

ops, no, beeminder.com, sorry I wasn’t clear

1 Like

@dreev I’m having a similar issue to @giovanni - I sign in using my Twitter account, and the signin no longer persists between sessions. I’m sure last month my signin persisted, but now I have to log in again every time I come to the website. Reading this thread it seems it may be related.

2 Likes