Skip to content

OIDC Login error: (insecure_transport) OAuth 2 MUST utilize https

So, I built myself a terrareg container today from current HEAD on main branch.

It's deploy with the following ENV vars via docker compose:

version: '3'

networks:
  gitea:
    external: false

services:
  terrareg:
    image: git.home.lynxcore.org/homelab/terrareg/terrareg:latest
    container_name: "terrareg"
    restart: unless-stopped
   environment:
      - MIGRATE_DATABASE=True
      - SECRET_KEY=YEAHNO
      - PUBLIC_URL=https://terraform.home.lynxcore.org
      - DOMAIN_NAME=https://terraform.home.lynxcore.org
      - OPENID_CONNECT_CLIENT_ID=STILLNO
      - OPENID_CONNECT_CLIENT_SECRET=NICETRY
      - OPENID_CONNECT_ISSUER=https://auth.home.lynxcore.org/application/o/terrareg/
      - OPENID_CONNECT_SCOPES=openid,profile,email,groups
      - AUTO_CREATE_NAMESPACE=False
      - AUTO_CREATE_MODULE_PROVIDER=False
      - UPLOAD_API_KEYS=ASIF
      - PUBLISH_API_KEYS=INYOURDREAMS
    ports:
      - "127.0.0.1:5000:5000"
    volumes:
      - /srv/docker/code/terrareg:/app/data
    networks:
      - gitea
    healthcheck:
      test: curl --fail http://localhost:5000 || exit 1
      interval: 5s
      retries: 30
      start_period: 30s
      timeout: 10s

When trying to log in, my IdP (authentik) authenticates me just fine, but I get an Invalid response from SSO error.

Now, after digging into this for a few hours with DEBUG=true etc, I managed to coax an error message by changing Line 39 (error_description) in terrareg/server/api/open_id_callback.py to

            res = make_response(
                render_template(
                    "error.html",
                    error_title="Login error",
                    error_description=f"""Invalid response from SSO for url {request.url} | {exc}""",   # this is what I changed
                )
            )

With that I get the following error: Invalid response from SSO for url http://terraform.home.lynxcore.org/openid/callback?code=REDACTED&state=REDACTED | (insecure_transport) OAuth 2 MUST utilize https..

I then proceeded to see where the hell the "http" comes from - no dice. I just can't find it. I verified that everything works IdP-Wise by setting OAUTHLIB_INSECURE_TRANSPORT=1 in my docker-compose.yml, and I can log in just fine.

Something in the depths of the OIDC implementation here overwrites the protocol to http, and I can 't find it.

Setup-wise I have HAProxy before terrareg, and HAProxy terminates SSL for me.

Complete HAProxy config if it's relevant:

global
  chroot  /usr/share/haproxy
  daemon  
  group  haproxy
  log  127.0.0.1 local0
  ssl-default-bind-ciphers  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-bind-options  no-sslv3 no-tls-tickets
  ssl-default-server-ciphers  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  ssl-default-server-options  no-sslv3 no-tls-tickets
  stats  timeout 30s
  tune.ssl.default-dh-param  2048
  user  haproxy

defaults
  log  global
  maxconn  2000
  mode  http
  option  http-server-close
  option  httplog
  option  dontlognull
  option  redispatch
  option  srvtcpka
  option  clitcpka
  retries  3
  timeout  http-request 10s
  timeout  client 20s
  timeout  connect 4s
  timeout  server 2m
  timeout  http-keep-alive 4s
  timeout  tunnel 2m
  timeout  client-fin 1s
  timeout  server-fin 1s
  timeout  check 10s
  timeout  queue 1m

frontend main
  bind :443 ssl crt /etc/haproxy/ssl
  bind :80 
  mode http
  acl terraform        hdr(host)  -i terraform.home.lynxcore.org
  default_backend terraform
  http-request set-header X-Forwarded-Proto https if  { ssl_fc }
  http-request set-header X-Forwarded-Proto http if  !{ ssl_fc }
  http-request redirect scheme https code 301 unless { ssl_fc }
  log-format %ci\ "%r"\ %ST\ %B\ "%hr"
  option forwardfor except 127.0.0.1/8
  option httplog
  option dontlognull
  use_backend terraform        if terraform


listen stats
  bind 127.0.0.1:9001 
  stats enable
  stats show-legends
  stats uri /
  stats realm haproxy\ statistics
  stats admin if TRUE

backend terraform
  balance roundrobin
  mode http
  server terraform 127.0.0.1:5000 check

I'm at my wits end. Any takers?