Jump to content

New OAuth Redirect Bug (/login/7/).., next request causes Cloudflare to block login requests


Recommended Posts

1. Start by being logged out of both the forum and oauth identity provider. 
2. Visit forum directly, click "Login with ....com". You will be redirected to a identity provider login 
3. Login to the identity provider, get redirected back to https://forum.custominvisionforum.com/login , then Invision immediately 301 redirects the user to a broken login URL that 404s (screenshot attached forum-error-1.PNG), it 301 redirects to this example URL: https://forum.custominvisionforum.com/login/7?_processLogin=3&csrfKey=...&ref=&code=...   (note the 7 at the end of login URL path.. if the "7" is removed from the URL and reload page, it immediately logs the user in). 

4. The user is then prompted with a "Existing user? Please sign in" button .. When they click this button, after above redirect chain, it causes CloudFlare to block the login request.  Screenshot attached, forum-error-2.png.  Example Request URL where we see this error: https://forum.custominvisionforum.com/oauth/callback/?code=...&state=...  The cloudflare blocking issue has to be something specific to the redirects in step (3) above -- if at this point the user reloads the homepage and clicks login, it logins them in no issue.

 

Cloudflare Error:

403 ERROR
The request could not be satisfied.
Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.

 

Could contain: Page, Text

Could contain: Page, Text

Link to comment
Share on other sites

Looking at your login page here, I am noticing that there have been some customizations done to it. I would recommend undoing those and then testing the solution here as I believe those may be influencing your issue.

We actually utilize the OATUH 2.0 process here and many other sites so I'd like to remove any customizations before we continue investigating.

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...