Patrick Rudman Posted February 13, 2023 Share Posted February 13, 2023 1. Start by being logged out of both the forum and oauth identity provider. 2. Visit forum directly, click "Login with ....com". You will be redirected to a identity provider login 3. Login to the identity provider, get redirected back to https://forum.custominvisionforum.com/login , then Invision immediately 301 redirects the user to a broken login URL that 404s (screenshot attached forum-error-1.PNG), it 301 redirects to this example URL: https://forum.custominvisionforum.com/login/7?_processLogin=3&csrfKey=...&ref=&code=... (note the 7 at the end of login URL path.. if the "7" is removed from the URL and reload page, it immediately logs the user in). 4. The user is then prompted with a "Existing user? Please sign in" button .. When they click this button, after above redirect chain, it causes CloudFlare to block the login request. Screenshot attached, forum-error-2.png. Example Request URL where we see this error: https://forum.custominvisionforum.com/oauth/callback/?code=...&state=... The cloudflare blocking issue has to be something specific to the redirects in step (3) above -- if at this point the user reloads the homepage and clicks login, it logins them in no issue. Cloudflare Error: 403 ERROR The request could not be satisfied. Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. Link to comment Share on other sites More sharing options...
Jim M Posted February 13, 2023 Share Posted February 13, 2023 Looking at your login page here, I am noticing that there have been some customizations done to it. I would recommend undoing those and then testing the solution here as I believe those may be influencing your issue. We actually utilize the OATUH 2.0 process here and many other sites so I'd like to remove any customizations before we continue investigating. Link to comment Share on other sites More sharing options...
Patrick Rudman Posted February 13, 2023 Author Share Posted February 13, 2023 @Jim M I've removed the two theme overrides we had in place, and I'm still able to reproduce the issue. Link to comment Share on other sites More sharing options...
Jim M Posted February 13, 2023 Share Posted February 13, 2023 What URL have you setup as your redirect URI in your OAUTH identity provider? Link to comment Share on other sites More sharing options...
Patrick Rudman Posted February 13, 2023 Author Share Posted February 13, 2023 {base-url}/oauth/callback/ Link to comment Share on other sites More sharing options...
Jim M Posted February 13, 2023 Share Posted February 13, 2023 Thank you! I've transferred this to a ticket as we will need to investigate this further as I believe this to be a one-off issue rather than widespread. Please check your email for next steps. Please note I have also obfuscated your base URL in the URLs you've shared. SeNioR- 1 Link to comment Share on other sites More sharing options...
Patrick Rudman Posted February 13, 2023 Author Share Posted February 13, 2023 Thank you! For the time being I am going to re-add our theme customizations, as the default login forms might confuse our users.. We can revert them again temporarily while your team troubleshoots, let us know. Link to comment Share on other sites More sharing options...
Marc Posted February 14, 2023 Share Posted February 14, 2023 Yes, thats no problem, as long as you are aware it may be removed while debugging Patrick Rudman 1 Link to comment Share on other sites More sharing options...
Talisman12 Posted February 17, 2023 Share Posted February 17, 2023 That's CloudFront not CloudFlare - are you using WAF in front of CF? It can throw a 403 if you trip one of the firewall rules. Link to comment Share on other sites More sharing options...
Recommended Posts