OAuth2+Github redirect_uri mismatch

[jakimfett]

Abstract

OAuth2 documentation needs configuration details.

Description

When configuring the OAuth2 authentication method for Github, a user is redirected to:
/user/oauth2/<authname>/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch
with a 500 error.

The problem appears to be with the callback URI not matching the redirect_uri, but I've followed the URI nomenclature from admin/auths/new.

I've set the relevant bits (eg, DISABLE_REGISTRATION = false and ENABLE_REVERSE_PROXY_AUTHENTICATION = true) in my custom/conf/app.ini, and there doesn't seem to be anything in the cheat sheet or authentication sections of the documentation about this issue, and no place to set the redirect URI from the web interface.

Ideally, this would get closed after the documentation is updated providing an entry for OAuth2 config FAQ and the 'known good' configuration would be recorded in the docs (ideally with the other auth stuff).

I can PR the docs, I just need to know why this seemingly-straighforward thing is being problematic.

Screenshots

Server Details

• Gitea version (or commit ref): 1.4.0+3-g641d481c
• Git version: 2.11.0
• Operating system: Debian GNU/Linux 9 (stretch)
• Database (use [x]):
  • PostgreSQL
  • MySQL (mariadb)
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log:
  2018/04/04 22:19:25 [I] Log Mode: File(Trace)
  2018/04/04 22:19:25 [I] XORM Log Mode: File(Trace)
  2018/04/04 22:19:25 [I] Cache Service Enabled
  2018/04/04 22:19:25 [I] Session Service Enabled
  2018/04/04 22:19:25 [I] Git Version: 2.11.0
  2018/04/04 22:19:25 [T] Doing: CheckRepoStats
  2018/04/04 22:19:25 [T] Doing: ArchiveCleanup
  2018/04/04 22:19:25 [T] Doing: DeletedBranchesCleanup
  2018/04/04 22:19:25 [I] Run Mode: Production
  2018/04/04 22:19:25 [I] Listen: https://0.0.0.0:<port,redacted>
  2018/04/04 22:19:25 [I] LFS server enabled
  2018/04/04 22:19:31 [D] Session ID: cde9
  2018/04/04 22:19:31 [D] CSRF Token: ==
  2018/04/04 22:19:31 [D] Template: user/auth/signin
  2018/04/04 22:19:32 [D] Session ID: cde9
  2018/04/04 22:19:32 [D] CSRF Token: ==
  2018/04/04 22:19:33 [D] Session ID: cde9
  2018/04/04 22:19:33 [D] CSRF Token: ==
  2018/04/04 22:19:33 [...routers/user/auth.go:407 handleOAuth2SignIn()] [E] UserSignIn: Invalid token received from provider
  2018/04/04 22:19:33 [D] Template: status/500

[hnsr]

What's your ROOT_URL set to? I ran into the same problem (including the somewhat misleading 'Invalid token received...' error), but found out I had my ROOT_URL set to http://foo, while I had actually already moved it to https via apache httpd (which is reverse proxying to gitea). Changing my ROOT_URL to https://foo fixed the issue

[techknowlogick]

Closing, please re-open if you still experience this.

[teotikalki]

I came here because I experienced this and found that the answer from @hnsr solved my problem.
However, I didn't find a way to change my ROOT_URL from the frontend (there really should be).