Skip to content

Wrong provider selected with simulatenously active oauth flows? #57

Description

@gerdint

I have two providers configured (Google and FB, config passed through aero at runtime):

{:google
 {:authorize-uri "https://accounts.google.com/o/oauth2/auth"
  :access-token-uri "https://oauth2.googleapis.com/token"
  :client-id #profile {:dev  "<<id>>"
                       :prod "<<id>>"}
  :client-secret #env GOOGLE_OAUTH2_CLIENT_SECRET
  :scopes ["openid" "profile" "email"]
  :launch-uri "/oauth/login/google"
  ;; N.B: Relative URL redirects to HTTP due to proxy forwarding
  :redirect-uri #profile {:dev "/oauth/google/callback"
                          ;; Force HTTPS
                          :prod "https://my.app/oauth/google/callback"}
  ;; Use absolute URL to load-balancer in order to get XFWD headers
  :landing-uri #profile {:dev "http://localhost:3000/oauth/done/google"
                         :prod "https://my.app/oauth/done/google"}
  :display-name "Google"}
 :facebook
 {:authorize-uri "https://www.facebook.com/v17.0/dialog/oauth"
  :access-token-uri "https://graph.facebook.com/v17.0/oauth/access_token"
  :client-id #profile {:dev "<<id>>"
                       :test "<<id>>"
                       :prod "<<id>>"}
  :client-secret #profile {:dev #env FACEBOOK_OAUTH2_APP_DEV_SECRET
                           :test #env FACEBOOK_OAUTH2_APP_DEV_SECRET
                           :prod #env FACEBOOK_OAUTH2_APP_SECRET}
  :scopes ["openid" "email"]
  :launch-uri "/oauth/login/facebook"
  :redirect-uri #profile {:dev "http://localhost:3000/oauth/facebook/callback"
                          ;; Force HTTPS
                          :prod "https://my.app//oauth/facebook/callback"}
  :landing-uri #profile {:dev "http://localhost:3000/oauth/done/facebook"
                         :prod "https://my.app//oauth/done/facebook"}
  :display-name "Facebook"}}

As long as users stick to one provider only things work fine. But when trying to authorize through (say) Facebook while still previously authorized through Google ring-oauth2 sometimes (?) seems to put the wrong provider under the request :oauth2/access-tokens key while still redirecting to the Facebook landing uri.

Am I misunderstanding how the interaction between multiple providers are supposed to work? This case seems less complicated than the ones described in issue #52, though may be a symptom of the same underlying issue? If I delete the whole session manually before starting the second authorization flow things seems to work, but I'd like to understand why.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions