Gitlab OAUTH_CALLBACK_ERROR invalid_client #321

sgohl · 2024-07-31T16:24:16Z

Describe the bug

After successful login to gitlab, redirect to phase results in error=OAuthCallback / invalid_client

To Reproduce

fresh setup with docker compose using https://docs.phase.dev/self-hosting/docker-compose#2-download-the-configurations
gitlab as sso (self-hosted, v17.2.1)
external loadbalancer (traefik) -> https(ignore self-signed; pass_host_header=true) -> docker:nginx:443

HOST=pass.myacme.corp
HTTP_PROTOCOL=https://
SSO_PROVIDERS=gitlab
GITLAB_CLIENT_ID=e8d0df22dbe15xxxxxxxxxxxxxxxxxxx485aeeec2fcb1bd718ea
GITLAB_CLIENT_SECRET=gloas-2ff8a719c54xxxxxxxxxxxxxxxxxxd86c13b6336a61fd06796e1
GITLAB_AUTH_URL=https://gitlab.myacme.corp

Gitlab (Admin area/instance-wide) Application:

Redirect URI: https://phase.myacme.corp/api/auth/callback/gitlab
Trusted [ ✔ ]
Confidential [ ] (with or without; not working)
read_user [ ✔ ]

Open Phase Login page
Click on 'Login with GitLab'
Be redirected to GitLab -> Login -> successful
Be redirected back to Phase -> shows same Login page with URL https://phase.myacme.corp/login?callbackUrl=https%3A%2F%phase.myacme.corp%2F&error=OAuthCallback

docker compose logs -f

phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:20:09 +0000] "GET / HTTP/2.0" 307 32 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:20:10 +0000] "GET /api/auth/signin?callbackUrl=%2F HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:20:10 +0000] "GET /login?callbackUrl=https%3A%2F%2Fphase.myacme.corp%2F HTTP/2.0" 200 3647 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"

## --- LOGIN HERE -- ##

phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:08:58 +0000] "POST /api/auth/signin/gitlab HTTP/2.0" 200 383 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-frontend  | [next-auth][error][OAUTH_CALLBACK_ERROR] 
phase-frontend  | https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.) {
phase-frontend  |   error: OPError: invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.)
phase-frontend  |       at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
phase-frontend  |       at Client.grant (/app/node_modules/openid-client/lib/client.js:1327:22)
phase-frontend  |       at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
phase-frontend  |       at async Client.oauthCallback (/app/node_modules/openid-client/lib/client.js:603:24)
phase-frontend  |       at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:111:16)
phase-frontend  |       at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
phase-frontend  |       at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
phase-frontend  |       at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
phase-frontend  |       at async K (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:16853)
phase-frontend  |       at async U.render (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:17492) {
phase-frontend  |     name: 'OAuthCallbackError',
phase-frontend  |     code: undefined
phase-frontend  |   },
phase-frontend  |   providerId: 'gitlab',
phase-frontend  |   message: 'invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.)'
phase-frontend  | }
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:08:59 +0000] "GET /api/auth/callback/gitlab?code=3161d2622ef1f66162089127d940912537feb186e7800c898d4348566874f430&state=LpaRDSWebzSDKQt2_EWU7yB9OWHYLVHr6JZZSnW5fGQ HTTP/2.0" 302 0 "https://gitlab.myacme.corp/" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:18:57 +0000] "GET /api/auth/error?error=OAuthCallback HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:18:57 +0000] "GET /api/auth/signin?error=OAuthCallback HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:18:58 +0000] "GET /login?callbackUrl=https%3A%2F%2Fphase.myacme.corp%2F&error=OAuthCallback HTTP/2.0" 200 3647 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"

Expected behavior

Successful Login

Platform you are having the issue on:

docker version 24.0.5

Additional context

I assume this is not an actual bug, but if it's a configuration issue, I don't know what I've done wrong.
Documentation might lack an important information

The text was updated successfully, but these errors were encountered:

rohan-chaturvedi · 2024-07-31T16:32:17Z

Hey @sgohl , this is usually due to the BACKEND_API_BASE env var being either incorrectly set or unresolvable. This variable should be the internal hostname for the phase-backend container. You may also want to check your traefik setup to make sure that phase-frontend can make requests to phase-backend.

sgohl · 2024-08-16T08:22:13Z

Hi, thanks for your answer!

If I understand correctly, phase-frontend only needs to make requests to phase-backend internally (not from browser) - this works already by default because docker.

traefik is not involved here, since it's only the external loadbalancer for TLS termination for the users to get access to the frontend. I assume this is the case for 99% of all users having a reverse proxy in front of the frontend to provide a real domain with ssl.

so, container to container works:

~/phase > docker compose exec -it frontend  bash
4663834a9556:/app$ echo $BACKEND_API_BASE
http://backend:8000
4663834a9556:/app$ curl $BACKEND_API_BASE -I
HTTP/1.1 404 Not Found
Server: gunicorn

Since the service backend has no port definition in docker, I assume it does not need to be accessed by browser; is that right?

rohan-chaturvedi · 2024-09-17T05:31:22Z

@sgohl Sorry for the delay getting back to you. The backend does indeed need to be access by the browser, for client-side api calls. In our standard nginx setup, the /service path is used to direct requests to the backend:

console/nginx/default.conf

Line 8 in 70dae3f

location /service/ {

sgohl · 2024-09-17T11:27:27Z

@rohan-chaturvedi not a problem at all, thanks for responding anyway!

so, BACKEND_API_BASE which is http://backend:8000 is accessible from phase-frontend container - not from any browser obviously.

From Browser-side, NEXT_PUBLIC_BACKEND_API_BASE which is https://pass.myacme.corp/service is accessible:

> curl -I https://pass.myacme.corp/service/
HTTP/2 404 
server: nginx/1.27.0

phase-nginx  | 192.168.55.197 - - [17/Sep/2024:11:16:38 +0000] "HEAD /service/ HTTP/2.0" 404 0 "-" "curl/7.82.0" "192.168.61.52"

What not works is the login redirect mechanism:

/api/auth/callback/gitlab?code=c1b70cxxx&state=CBQO3xxx (302 with location: https://pass.myacme.corp/api/auth/error?error=OAuthCallback)
twice: /api/auth/error?error=OAuthCallback (302 with location https://pass.myacme.corp/api/auth/signin?error=OAuthCallback)

as far as I see, all environment variables are set correctly:

  frontend:
    environment:
      BACKEND_API_BASE: http://backend:8000
      NEXT_PUBLIC_BACKEND_API_BASE: https://pass.myacme.corp/service
      NEXTAUTH_URL: https://pass.myacme.corp

  backend:
    environment:
      OAUTH_REDIRECT_URI: https://pass.myacme.corp
      SSO_PROVIDERS: gitlab

something else I could check?

rohan-chaturvedi · 2024-09-17T12:30:57Z

Your setup seems to be correct and I don't see any obvious issues. I assume you have GITLAB_CLIENT_ID and GITLAB_CLIENT_SECRET available to the backend container.

Could you verify that the backend is up and healthy by opening https://pass.myacme.corp/service/health/ (note the trailing slash) in the browser or via curl? You should get the JSON response:

{"status": "alive"}

Apkahym · 2024-09-17T15:45:33Z

Hi, I have the same issue, but with github... can i help with any additional info?

rohan-chaturvedi · 2024-09-18T06:23:03Z

@Apkahym Could you could share the details of your setup including:

nginx / traefik config
environment config
frontend container logs
verify that /service/health/ returns a json response as mentioned in the previous comment.

Also you can add the DEBUG=True env var to get more verbose logs. @sgohl you may want to try this as well

Apkahym · 2024-09-18T14:12:04Z

I'm running Docker Compose, as the docs say.

When i try to login, screen not change but the url change to

https://localhost/login?callbackUrl=https%3A%2F%2Flocalhost%2F&error=Callback

Docker Version: Docker version 24.0.7, build afdd53b
PC: Mac M1 Pro
OS: Sonoma Versión 14.2 (23C64)

Health endpoint it is ok

GET https://localhost/service/health/

{"status": "alive"}

Github App Config

I only use the callback URL, I don't configure the other options

Callback URL: https://localhost/api/auth/callback/github

Docker compose file

services:
  nginx:
    container_name: phase-nginx
    build:
      context: .
      dockerfile: ./nginx/Dockerfile
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
    depends_on:
      - frontend
      - backend
    networks:
      - phase-net

  frontend:
    container_name: phase-frontend
    restart: unless-stopped
    depends_on:
      - backend
    image: phasehq/frontend:latest
    env_file: .env
    environment:
      NEXTAUTH_URL: "${HTTP_PROTOCOL}${HOST}"
      BACKEND_API_BASE: "http://backend:8000"
      NEXT_PUBLIC_BACKEND_API_BASE: "${HTTP_PROTOCOL}${HOST}/service/"
      NEXT_PUBLIC_NEXTAUTH_PROVIDERS: "${SSO_PROVIDERS}"
    networks:
      - phase-net

  backend:
    container_name: phase-backend
    restart: unless-stopped
    depends_on:
      - postgres
      - redis
    image: phasehq/backend:latest
    env_file: .env
    environment:
      OAUTH_REDIRECT_URI: "${HTTP_PROTOCOL}${HOST}"
      ALLOWED_HOSTS: "${HOST},backend"
      ALLOWED_ORIGINS: "${HTTP_PROTOCOL}${HOST}"
      SESSION_COOKIE_DOMAIN: "${HOST}"
    networks:
      - phase-net

  worker:
    container_name: phase-worker
    restart: unless-stopped
    depends_on:
      - postgres
      - redis
    image: phasehq/backend:latest
    command: python manage.py rqworker default
    env_file: .env
    environment:
      ALLOWED_HOSTS: "${HOST},backend"
      ALLOWED_ORIGINS: "${HTTP_PROTOCOL}${HOST}"
      SESSION_COOKIE_DOMAIN: "${HOST}"
    networks:
      - phase-net

  postgres:
    container_name: phase-postgres
    image: postgres:15.4-alpine3.17
    restart: always
    env_file:
      - .env
    environment:
      POSTGRES_DB: ${DATABASE_NAME}
      POSTGRES_USER: ${DATABASE_USER}
      POSTGRES_PASSWORD: ${DATABASE_PASSWORD}
      POSTGRES_HOST_AUTH_METHOD: "trust"

    volumes:
      - phase-postgres-data:/var/lib/postgresql/data
    networks:
      - phase-net

  redis:
    container_name: phase-redis
    image: redis:alpine3.19
    restart: always
    networks:
      - phase-net

volumes:
  phase-postgres-data:
    driver: local

networks:
  phase-net:

.env

HOST=localhost
HTTP_PROTOCOL=https://
DEBUG=true
#USER_EMAIL_DOMAIN_WHITELIST=mydomain.com,subdomain.mydomain.com

NEXTAUTH_SECRET=82031b3760ac58352bb2d48fd9f32e9f72a0614343b669038139f18652ed1447
SECRET_KEY=92d44efc4f9a4c0556cc67d2d033d3217829c263d5ab7d1954cf4b5bfd533e58
SERVER_SECRET=9e760539415af07b22249b5878593bd4deb9b8961c7dd0570117549f2c4f32a2

SSO_PROVIDERS=github

#GOOGLE_CLIENT_ID=
#GOOGLE_CLIENT_SECRET=

GITHUB_CLIENT_ID=Iv*****************62M
GITHUB_CLIENT_SECRET=d8d*******************************1de614

#GITLAB_CLIENT_ID=
#GITLAB_CLIENT_SECRET=

#GITHUB_INTEGRATION_CLIENT_ID=
#GITHUB_INTEGRATION_CLIENT_SECRET=

DATABASE_PORT=5432
DATABASE_NAME=postgres-db-name
DATABASE_USER=postgres-user
DATABASE_PASSWORD=a765b221799be364c53c8a32acccf5dd90d5fc832607bdd14fccaaaa0062adfd

REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

NEXT_TELEMETRY_DISABLED=1

Nginx Dockerfile

FROM nginx
RUN apt-get update && \
    apt-get install -y openssl && \
    mkdir -p /etc/nginx/ssl && \
    openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/nginx/ssl/nginx.key && \
    openssl req -new -x509 -sha256 -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -days 365 \
        -subj "/C=SG/ST=Wordwideweb/L=The Cloud/CN=example.com" \

Nginx Conf

server {
   listen 80;
   listen 443 ssl;

   ssl_certificate /etc/nginx/ssl/nginx.crt;
   ssl_certificate_key /etc/nginx/ssl/nginx.key;
   
   location /service/ {
       rewrite ^/service/(.*) /$1 break;

       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

       proxy_set_header Host $http_host;
       proxy_set_header X-NginX-Proxy true;

       proxy_pass http://backend:8000;
       proxy_redirect off;

       proxy_cookie_path / "/; HttpOnly; SameSite=strict";

       proxy_buffers 16 32k;
       proxy_buffer_size 64k;
       proxy_busy_buffers_size 128k;
   }
   
   location /kms/ {
       rewrite ^/kms/(.*) /kms/$1 break;

       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

       proxy_set_header Host $http_host;
       proxy_set_header X-NginX-Proxy true;

       proxy_pass http://backend:8000;
       proxy_redirect off;

       proxy_cookie_path / "/; HttpOnly; SameSite=strict";

       proxy_buffers 16 32k;
       proxy_buffer_size 64k;
       proxy_busy_buffers_size 128k;
   }

   location / {
       include /etc/nginx/mime.types;

       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

       proxy_set_header Host $http_host;
       proxy_set_header X-NginX-Proxy true;

       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";

       proxy_pass http://frontend:3000;
       proxy_redirect off;

       proxy_buffers 16 32k;
       proxy_buffer_size 64k;
       proxy_busy_buffers_size 128k;
   }
}

Logs

Backend

Operations to perform:
  Apply all migrations: account, admin, api, auth, authtoken, contenttypes, django_rq, logs, sessions, sites, socialaccount
Running migrations:
  No migrations to apply.
[2024-09-18 13:54:56 +0000] [1] [INFO] Starting gunicorn 22.0.0
[2024-09-18 13:54:56 +0000] [1] [INFO] Listening at: http://0.0.0.0:8000 (1)
[2024-09-18 13:54:56 +0000] [1] [INFO] Using worker: sync
[2024-09-18 13:54:56 +0000] [8] [INFO] Booting worker with pid: 8
[2024-09-18 13:54:56 +0000] [9] [INFO] Booting worker with pid: 9
[2024-09-18 13:54:56 +0000] [10] [INFO] Booting worker with pid: 10
2024-09-18 13:56:11,479 WARNING [django.request:241] log 10 281473466109184 Bad Request: /social/login/github/

Frontend

▲ Next.js 14.2.3
  - Local:        http://localhost:3000
  - Network:      http://0.0.0.0:3000

 ✓ Starting...
 ✓ Ready in 64ms
AxiosError: Request failed with status code 400
    at settle (file:///app/node_modules/axios/lib/core/settle.js:19:12)
    at IncomingMessage.handleStreamEnd (file:///app/node_modules/axios/lib/adapters/http.js:599:11)
    at IncomingMessage.emit (node:events:530:35)
    at endReadableNT (node:internal/streams/readable:1696:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
    at Axios.request (file:///app/node_modules/axios/lib/core/Axios.js:45:41)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.jwt (/app/.next/server/pages/api/auth/[...nextauth].js:1:2745)
    at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:135:25)
    at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
    at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
    at async K (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:16853)
    at async U.render (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:17492)
    at async NextNodeServer.runApi (/app/node_modules/next/dist/server/next-server.js:600:9)
    at async NextNodeServer.handleCatchallRenderRequest (/app/node_modules/next/dist/server/next-server.js:269:37) {
  code: 'ERR_BAD_REQUEST',
  config: {
    transitional: {
      silentJSONParsing: true,
      forcedJSONParsing: true,
      clarifyTimeoutError: false
    },
    adapter: [ 'xhr', 'http', 'fetch' ],
    transformRequest: [ [Function: transformRequest] ],
    transformResponse: [ [Function: transformResponse] ],
    timeout: 0,
    xsrfCookieName: 'XSRF-TOKEN',
    xsrfHeaderName: 'X-XSRF-TOKEN',
    maxContentLength: -1,
    maxBodyLength: -1,
    env: { FormData: [Function], Blob: [class Blob] },
    validateStatus: [Function: validateStatus],
    headers: Object [AxiosHeaders] {
      Accept: 'application/json, text/plain, */*',
      'Content-Type': 'application/json',
      'User-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0',
      'X-forwarded-for': '192.168.65.1',
      'Content-Length': '59',
      'Accept-Encoding': 'gzip, compress, deflate, br'
    },
    withCredentials: true,
    method: 'post',
    url: 'http://backend:8000/social/login/github/',
    data: '{"access_token":"ghu_KSWnVi36YoOWWn10HgTfTVRJ6L0MYO0iGE9I"}'
  },
  request: <ref *1> ClientRequest {
    _events: [Object: null prototype] {
      abort: [Function (anonymous)],
      aborted: [Function (anonymous)],
      connect: [Function (anonymous)],
      error: [Function (anonymous)],
      socket: [Function (anonymous)],
      timeout: [Function (anonymous)],
      finish: [Function: requestOnFinish]
    },
    _eventsCount: 7,
    _maxListeners: undefined,
    outputData: [],
    outputSize: 0,
    writable: true,
    destroyed: false,
    _last: false,
    chunkedEncoding: false,
    shouldKeepAlive: false,
    maxRequestsOnConnectionReached: false,
    _defaultKeepAlive: true,
    useChunkedEncodingByDefault: true,
    sendDate: false,
    _removedConnection: false,
    _removedContLen: false,
    _removedTE: false,
    strictContentLength: false,
[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR] 
https://next-auth.js.org/errors#oauth_callback_handler_error undefined Backend error
    _contentLength: '59',
    _hasBody: true,
    _trailer: '',
    finished: true,
    _headerSent: true,
    _closed: false,
    socket: Socket {
      connecting: false,
      _hadError: false,
      _parent: null,
      _host: 'backend',
      _closeAfterHandlingError: false,
      _events: [Object],
      _readableState: [ReadableState],
      _writableState: [WritableState],
      allowHalfOpen: false,
      _maxListeners: undefined,
      _eventsCount: 7,
      _sockname: null,
      _pendingData: null,
      _pendingEncoding: '',
      server: null,
      _server: null,
      timeout: 5000,
      parser: null,
      _httpMessage: [Circular *1],
      [Symbol(async_id_symbol)]: 7512,
      [Symbol(kHandle)]: [TCP],
      [Symbol(lastWriteQueueSize)]: 0,
      [Symbol(timeout)]: Timeout {
        _idleTimeout: 5000,
        _idlePrev: [TimersList],
        _idleNext: [Timeout],
        _idleStart: 75756,
        _onTimeout: [Function: bound ],
        _timerArgs: undefined,
        _repeat: null,
        _destroyed: false,
        [Symbol(refed)]: false,
        [Symbol(kHasPrimitive)]: false,
        [Symbol(asyncId)]: 7511,
        [Symbol(triggerId)]: 7506,
        [Symbol(kResourceStore)]: undefined,
        [Symbol(kResourceStore)]: undefined
      },
      [Symbol(kBuffer)]: null,
      [Symbol(kBufferCb)]: null,
      [Symbol(kBufferGen)]: null,
      [Symbol(shapeMode)]: true,
      [Symbol(kCapture)]: false,
      [Symbol(kSetNoDelay)]: true,
      [Symbol(kSetKeepAlive)]: true,
      [Symbol(kSetKeepAliveInitialDelay)]: 60,
      [Symbol(kBytesRead)]: 0,
      [Symbol(kBytesWritten)]: 0
    },
    _header: 'POST /social/login/github/ HTTP/1.1\r\n' +
      'Accept: application/json, text/plain, */*\r\n' +
      'Content-Type: application/json\r\n' +
      'User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0\r\n' +
      'X-forwarded-for: 192.168.65.1\r\n' +
      'Content-Length: 59\r\n' +
      'Accept-Encoding: gzip, compress, deflate, br\r\n' +
      'Host: backend:8000\r\n' +
      'Connection: keep-alive\r\n' +
      '\r\n',
    _keepAliveTimeout: 0,
    _onPendingData: [Function: nop],
    agent: Agent {
      _events: [Object: null prototype],
      _eventsCount: 2,
      _maxListeners: undefined,
      defaultPort: 80,
      protocol: 'http:',
      options: [Object: null prototype],
      requests: [Object: null prototype] {},
      sockets: [Object: null prototype],
      freeSockets: [Object: null prototype] {},
      keepAliveMsecs: 1000,
      keepAlive: true,
      maxSockets: Infinity,
      maxFreeSockets: 256,
      scheduling: 'lifo',
      maxTotalSockets: Infinity,
      totalSocketCount: 1,
      [Symbol(shapeMode)]: false,
      [Symbol(kCapture)]: false
    },
    socketPath: undefined,
    method: 'POST',
    maxHeaderSize: undefined,
    insecureHTTPParser: undefined,
    joinDuplicateHeaders: undefined,
    path: '/social/login/github/',
    _ended: true,
    res: IncomingMessage {
      _events: [Object],
      _readableState: [ReadableState],
      _maxListeners: undefined,
      socket: [Socket],
      httpVersionMajor: 1,
      httpVersionMinor: 1,
      httpVersion: '1.1',
      complete: true,
      rawHeaders: [Array],
      rawTrailers: [],
      joinDuplicateHeaders: undefined,
      aborted: false,
      upgrade: false,
      url: '',
      method: null,
      statusCode: 400,
      statusMessage: 'Bad Request',
      client: [Socket],
      _consuming: false,
      _dumped: false,
      req: [Circular *1],
      _eventsCount: 4,
      responseUrl: 'http://backend:8000/social/login/github/',
      redirects: [],
      [Symbol(shapeMode)]: true,
      [Symbol(kCapture)]: false,
      [Symbol(kHeaders)]: [Object],
      [Symbol(kHeadersCount)]: 22,
      [Symbol(kTrailers)]: null,
      [Symbol(kTrailersCount)]: 0
    },
    aborted: false,
    timeoutCb: [Function: emitRequestTimeout],
    upgradeOrConnect: false,
    parser: null,
    maxHeadersCount: null,
    reusedSocket: false,
    host: 'backend',
    protocol: 'http:',
    _redirectable: Writable {
      _events: [Object],
      _writableState: [WritableState],
      _maxListeners: undefined,
      _options: [Object],
      _ended: true,
      _ending: true,
      _redirectCount: 0,
      _redirects: [],
      _requestBodyLength: 59,
      _requestBodyBuffers: [],
      _eventsCount: 3,
      _onNativeResponse: [Function (anonymous)],
      _currentRequest: [Circular *1],
      _currentUrl: 'http://backend:8000/social/login/github/',
      [Symbol(shapeMode)]: true,
      [Symbol(kCapture)]: false
    },
    [Symbol(shapeMode)]: false,
    [Symbol(kCapture)]: false,
    [Symbol(kBytesWritten)]: 0,
    [Symbol(kNeedDrain)]: false,
    [Symbol(corked)]: 0,
    [Symbol(kOutHeaders)]: [Object: null prototype] {
      accept: [Array],
      'content-type': [Array],
      'user-agent': [Array],
      'x-forwarded-for': [Array],
      'content-length': [Array],
      'accept-encoding': [Array],
      host: [Array]
    },
    [Symbol(errored)]: null,
    [Symbol(kHighWaterMark)]: 16384,
    [Symbol(kRejectNonStandardBodyWrites)]: false,
    [Symbol(kUniqueHeaders)]: null
  },
  response: {
    status: 400,
    statusText: 'Bad Request',
    headers: Object [AxiosHeaders] {
      server: 'gunicorn',
      date: 'Wed, 18 Sep 2024 13:56:11 GMT',
      connection: 'close',
      'content-type': 'text/html; charset=utf-8',
      vary: 'Accept, Origin',
      allow: 'POST, OPTIONS',
      'x-frame-options': 'DENY',
      'content-length': '0',
      'x-content-type-options': 'nosniff',
      'referrer-policy': 'same-origin',
      'cross-origin-opener-policy': 'same-origin'
    },
    config: {
      transitional: [Object],
      adapter: [Array],
      transformRequest: [Array],
      transformResponse: [Array],
      timeout: 0,
      xsrfCookieName: 'XSRF-TOKEN',
      xsrfHeaderName: 'X-XSRF-TOKEN',
      maxContentLength: -1,
      maxBodyLength: -1,
      env: [Object],
      validateStatus: [Function: validateStatus],
      headers: [Object [AxiosHeaders]],
      withCredentials: true,
      method: 'post',
      url: 'http://backend:8000/social/login/github/',
      data: '{"access_token":"ghu_KSWnVi36YoOWWn10HgTfTVRJ6L0MYO0iGE9I"}'
    },
    request: <ref *1> ClientRequest {
      _events: [Object: null prototype],
      _eventsCount: 7,
      _maxListeners: undefined,
      outputData: [],
      outputSize: 0,
      writable: true,
      destroyed: false,
      _last: false,
      chunkedEncoding: false,
      shouldKeepAlive: false,
      maxRequestsOnConnectionReached: false,
      _defaultKeepAlive: true,
      useChunkedEncodingByDefault: true,
      sendDate: false,
      _removedConnection: false,
      _removedContLen: false,
      _removedTE: false,
      strictContentLength: false,
      _contentLength: '59',
      _hasBody: true,
      _trailer: '',
      finished: true,
      _headerSent: true,
      _closed: false,
      socket: [Socket],
      _header: 'POST /social/login/github/ HTTP/1.1\r\n' +
        'Accept: application/json, text/plain, */*\r\n' +
        'Content-Type: application/json\r\n' +
        'User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0\r\n' +
        'X-forwarded-for: 192.168.65.1\r\n' +
        'Content-Length: 59\r\n' +
        'Accept-Encoding: gzip, compress, deflate, br\r\n' +
        'Host: backend:8000\r\n' +
        'Connection: keep-alive\r\n' +
        '\r\n',
      _keepAliveTimeout: 0,
      _onPendingData: [Function: nop],
      agent: [Agent],
      socketPath: undefined,
      method: 'POST',
      maxHeaderSize: undefined,
      insecureHTTPParser: undefined,
      joinDuplicateHeaders: undefined,
      path: '/social/login/github/',
      _ended: true,
      res: [IncomingMessage],
      aborted: false,
      timeoutCb: [Function: emitRequestTimeout],
      upgradeOrConnect: false,
      parser: null,
      maxHeadersCount: null,
      reusedSocket: false,
      host: 'backend',
      protocol: 'http:',
      _redirectable: [Writable],
      [Symbol(shapeMode)]: false,
      [Symbol(kCapture)]: false,
      [Symbol(kBytesWritten)]: 0,
      [Symbol(kNeedDrain)]: false,
      [Symbol(corked)]: 0,
      [Symbol(kOutHeaders)]: [Object: null prototype],
      [Symbol(errored)]: null,
      [Symbol(kHighWaterMark)]: 16384,
      [Symbol(kRejectNonStandardBodyWrites)]: false,
      [Symbol(kUniqueHeaders)]: null
    },
    data: ''
  }
}

nginx

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2024/09/18 13:54:55 [notice] 1#1: using the "epoll" event method
2024/09/18 13:54:55 [notice] 1#1: nginx/1.27.1
2024/09/18 13:54:55 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2024/09/18 13:54:55 [notice] 1#1: OS: Linux 6.5.11-linuxkit
2024/09/18 13:54:55 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2024/09/18 13:54:55 [notice] 1#1: start worker processes
2024/09/18 13:54:55 [notice] 1#1: start worker process 21
2024/09/18 13:54:55 [notice] 1#1: start worker process 22
2024/09/18 13:54:55 [notice] 1#1: start worker process 23
2024/09/18 13:54:55 [notice] 1#1: start worker process 24
2024/09/18 13:54:55 [notice] 1#1: start worker process 25
2024/09/18 13:54:55 [notice] 1#1: start worker process 26
2024/09/18 13:54:55 [notice] 1#1: start worker process 27
2024/09/18 13:54:55 [notice] 1#1: start worker process 28
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET / HTTP/1.1" 307 43 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /api/auth/signin?callbackUrl=%2F HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /login?callbackUrl=https%3A%2F%2Flocalhost%2F HTTP/1.1" 200 3709 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/media/86fdec36ddd9097e-s.p.woff2 HTTP/1.1" 200 39888 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/webpack-c531545a80d3e80c.js HTTP/1.1" 200 1977 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/media/a34f9d1faa5f3315-s.p.woff2 HTTP/1.1" 200 48556 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/css/682166ef3a4c391c.css HTTP/1.1" 200 14759 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/css/da05db31bb148efb.css HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/main-app-55bbd77d79f9187f.js HTTP/1.1" 200 475 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/7023-ec7e08004c95722b.js HTTP/1.1" 200 31730 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/fd9d1056-2cbb1be792c527e1.js HTTP/1.1" 200 53758 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/5853-94dd4a10a18e5fb5.js HTTP/1.1" 200 7340 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/968-ded74ca557f5b7df.js HTTP/1.1" 200 10311 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/9109-e7b336516b46b748.js HTTP/1.1" 200 7186 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/5956-c301210d1a8c0ebc.js HTTP/1.1" 200 6179 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/2477-96a169ec540fd70b.js HTTP/1.1" 200 45540 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/2530-b8f1f23b4c44c05e.js HTTP/1.1" 200 4130 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/app/layout-d0373a9717701ec0.js HTTP/1.1" 200 3381 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/app/error-e311ab13f79b2eca.js HTTP/1.1" 200 2347 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/8e1d74a4-c15d211a4a0c6383.js HTTP/1.1" 200 14159 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/6655-eb4fbbd4b93a818f.js HTTP/1.1" 200 55812 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /_next/static/chunks/app/login/page-4bd093c9b67a3a7f.js HTTP/1.1" 200 6163 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /favicon.svg HTTP/1.1" 200 995 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:55:16 +0000] "GET /api/auth/session HTTP/1.1" 200 2 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:07 +0000] "GET /api/auth/providers HTTP/1.1" 200 171 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:07 +0000] "GET /api/auth/csrf HTTP/1.1" 200 80 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:07 +0000] "POST /api/auth/signin/github HTTP/1.1" 200 253 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /api/auth/callback/github?code=636a06b3d83b97d38890&state=qM2ryBccnSvhpuPQi8eZVUIdECV6ynPAcVJbD-Ef_xI HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /api/auth/error?error=Callback HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /api/auth/signin?error=Callback HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /login?callbackUrl=https%3A%2F%2Flocalhost%2F&error=Callback HTTP/1.1" 200 3709 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/media/86fdec36ddd9097e-s.p.woff2 HTTP/1.1" 200 39888 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/webpack-c531545a80d3e80c.js HTTP/1.1" 200 1977 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/media/a34f9d1faa5f3315-s.p.woff2 HTTP/1.1" 200 48556 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/main-app-55bbd77d79f9187f.js HTTP/1.1" 200 475 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/968-ded74ca557f5b7df.js HTTP/1.1" 200 10311 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/7023-ec7e08004c95722b.js HTTP/1.1" 200 31730 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/9109-e7b336516b46b748.js HTTP/1.1" 200 7186 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/5853-94dd4a10a18e5fb5.js HTTP/1.1" 200 7340 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/css/da05db31bb148efb.css HTTP/1.1" 200 257 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/css/682166ef3a4c391c.css HTTP/1.1" 200 14759 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/2477-96a169ec540fd70b.js HTTP/1.1" 200 45540 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/5956-c301210d1a8c0ebc.js HTTP/1.1" 200 6179 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/fd9d1056-2cbb1be792c527e1.js HTTP/1.1" 200 53758 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/app/layout-d0373a9717701ec0.js HTTP/1.1" 200 3381 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/2530-b8f1f23b4c44c05e.js HTTP/1.1" 200 4130 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/app/error-e311ab13f79b2eca.js HTTP/1.1" 200 2347 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/6655-eb4fbbd4b93a818f.js HTTP/1.1" 200 55812 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/app/login/page-4bd093c9b67a3a7f.js HTTP/1.1" 200 6163 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /_next/static/chunks/8e1d74a4-c15d211a4a0c6383.js HTTP/1.1" 200 14159 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /favicon.svg HTTP/1.1" 200 995 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"
192.168.65.1 - - [18/Sep/2024:13:56:11 +0000] "GET /api/auth/session HTTP/1.1" 200 2 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0" "-"

Worker

2024-09-18 13:54:56,080 INFO [rq.worker:569] worker 1 281473537412352 Worker rq:worker:187deeeee74247fb9458de0bb93505b4 started with PID 1, version 1.15.1
2024-09-18 13:54:56,080 INFO [rq.worker:613] worker 1 281473537412352 Subscribing to channel rq:pubsub:187deeeee74247fb9458de0bb93505b4
2024-09-18 13:54:56,081 INFO [rq.worker:573] worker 1 281473537412352 *** Listening on default...
2024-09-18 13:54:56,082 INFO [rq.worker:315] worker 1 281473537412352 Cleaning registries for queue: default

Postgres

PostgreSQL Database directory appears to contain a database; Skipping initialization

2024-09-18 13:54:54.925 UTC [1] LOG:  starting PostgreSQL 15.4 on aarch64-unknown-linux-musl, compiled by gcc (Alpine 12.2.1_git20220924-r4) 12.2.1 20220924, 64-bit
2024-09-18 13:54:54.925 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2024-09-18 13:54:54.925 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2024-09-18 13:54:54.927 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2024-09-18 13:54:54.930 UTC [24] LOG:  database system was shut down at 2024-09-18 13:54:42 UTC
2024-09-18 13:54:54.934 UTC [1] LOG:  database system is ready to accept connections

Redis

This log appears in loop many times

1:M 18 Sep 2024 13:41:47.021 * 1 changes in 3600 seconds. Saving...
1:M 18 Sep 2024 13:41:47.027 * Background saving started by pid 106
106:C 18 Sep 2024 13:41:47.038 * DB saved on disk
106:C 18 Sep 2024 13:41:47.039 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
1:M 18 Sep 2024 13:41:47.128 * Background saving terminated with success

sgohl · 2024-09-24T15:34:26Z

DEBUG=true did not give any additional information

https://docs.phase.dev/self-hosting/configuration/envars#git-lab-sso is inconsistent: It tells to set the callback url to
/api/auth/callback/gitlab/ and /api/auth/callback/gitlab

which one is correct? For me:

with trailing slash: Login process stuck at Gitlab site:

without trailing slash

phase-frontend  | [next-auth][error][OAUTH_CALLBACK_ERROR] 
phase-frontend  | https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.) {
phase-frontend  |   error: OPError: invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.)
phase-frontend  |       at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
phase-frontend  |       at Client.grant (/app/node_modules/openid-client/lib/client.js:1327:22)
phase-frontend  |       at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
phase-frontend  |       at async Client.oauthCallback (/app/node_modules/openid-client/lib/client.js:603:24)
phase-frontend  |       at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:111:16)
phase-frontend  |       at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
phase-frontend  |       at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
phase-frontend  |       at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
phase-frontend  |       at async K (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:16853)
phase-frontend  |       at async U.render (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:17492) {
phase-frontend  |     name: 'OAuthCallbackError',
phase-frontend  |     code: undefined
phase-frontend  |   },
phase-frontend  |   providerId: 'gitlab',
phase-frontend  |   message: 'invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.)'

There is no /service/health/ route in backend:

I know, nginx strips /service/ via rewrite before proxy_pass to backend.
also, I added localhost to ALLOWED_HOSTS via compose.yml
so, within backend container

~/phase > docker compose exec -it backend sh
/app $ curl -i localhost:8000/health/
HTTP/1.1 404 Not Found
Server: gunicorn
Date: Tue, 24 Sep 2024 15:29:37 GMT
Connection: close
Content-Type: text/html; charset=utf-8
X-Frame-Options: DENY
Content-Length: 179
Vary: Origin
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin

<!doctype html>
<html lang="en">
<head>
  <title>Not Found</title>
</head>
<body>
  <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
</body>
</html>

phase-backend   | 2024-09-24 15:28:24,878 WARNING [django.request:241] log 8 139626853657352 Not Found: /health/

from outside:

~ > curl -i https://pass.myacme.corp/service/health/
HTTP/2 404 
content-type: text/html; charset=utf-8
cross-origin-opener-policy: same-origin
date: Tue, 24 Sep 2024 15:28:47 GMT
referrer-policy: same-origin
server: nginx/1.27.0
vary: Origin
x-content-type-options: nosniff
x-frame-options: DENY
content-length: 179


<!doctype html>
<html lang="en">
<head>
  <title>Not Found</title>
</head>
<body>
  <h1>Not Found</h1><p>The requested resource was not found on this server.</p>
</body>
</html>

I also tried setting Gitlab Application to Confidential YES and NO.
What is correct? Please also mention this in the docs

Trusted is YES
(after every change I run docker compose down -v & up -d )

my full .env

~/phase > cat .env | grep -v ^$ | grep -v ^#
HOST=pass.myacme.corp
HTTP_PROTOCOL=https://
NEXTAUTH_SECRET=f6974065ba1a5885432945b2d36b22bb642a4b43a3a0448c9b1e4c3d2a7608a8
SECRET_KEY=3cc9ff78f90bddc2329572a97f920ae05882b8df7e02a9269dcbd172fe0fb359
SERVER_SECRET=2ccaad78d3a784a4edcb04302e2f96dd23a1e2ed300dfb9df96601772018df40
SSO_PROVIDERS=gitlab
GITLAB_CLIENT_ID=e8d0df22dbe15208ccbe4cd978ab3a5cfb4317e4bece485aevec2fsb1bd718ea
GITLAB_CLIENT_SECRET=gloas-2ff8a719c54be2cd98066fc01516f6eb9cb065a0d86c13b6336c43fd06796e1
GITLAB_AUTH_URL=https://gitlab.myacme.corp
DATABASE_HOST=postgres # don't change this
DATABASE_PORT=5432
DATABASE_NAME=postgres-db-name
DATABASE_USER=postgres-user
DATABASE_PASSWORD=ed607856f9bcc3eb852385cf078abc8ce90c5f407d14b2af84e92a2a891a97de
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=
NEXT_TELEMETRY_DISABLED=1
DEBUG=true

p.s. I am using self-hosted Community Edition of Gitlab.

rohan-chaturvedi · 2024-09-25T05:28:01Z

@sgohl For verbose logs, try DEBUG=True (not DEBUG=true)

https://docs.phase.dev/self-hosting/configuration/envars#git-lab-sso is inconsistent: It tells to set the callback url to
/api/auth/callback/gitlab/ and /api/auth/callback/gitlab

Apologies for the inconsistency in the docs. The correct URI is without a trailing slash. I'm making this fix in the docs as well: phasehq/docs#95

There is no /service/health/ route in backend:

I know, nginx strips /service/ via rewrite before proxy_pass to backend.
also, I added localhost to ALLOWED_HOSTS via compose.yml

What version of the Console are running? Could you try updating to the latest release, as we added this health endpoint quite recently

I also tried setting Gitlab Application to Confidential YES and NO.
What is correct? Please also mention this in the docs

Trusted is YES

These settings should not have any effect on the SSO setup or the ability to login, which is why we left it out of the docs.

I'll try and set up a GitLab instance locally to replicate your setup and see if I can figure out what is wrong, but most of this time this is due to the frontend container not being able to communicate with the backend.

nimish-ks · 2024-09-25T06:35:26Z

@Apkahym Thanks for providing detailed logs and configs. I have managed to replicate your setup locally, but unfortunately not your error. I was able to log in with GitHub SSO just fine. I even tried setting up Phase on a fresh EC2 instance, but couldn't replicate the issue.

The only couple of differences I see that you have made are:

Your NEXT_PUBLIC_BACKEND_API_BASE in your docker-compose.yaml ends with a trailing slash: NEXT_PUBLIC_BACKEND_API_BASE: "${HTTP_PROTOCOL}${HOST}/service/". This doesn't seem to be breaking anything:
You have not enabled http2 in your nginx config:

server {
    listen 80;
    listen 443 ssl; # http2 here
...
}

This, however, shouldn't cause any issues.

I would suggest you give it another go, perhaps with another SSO provider.

If you would like, I'm happy to get on a call and debug this with you. You can ping me on Slack: https://slack.phase.dev

nimish-ks · 2024-09-27T06:00:53Z

@sgohl Is your GitLab instance using a self-signed certificate? 🤔

sgohl added the bug Something isn't working label Jul 31, 2024

rohan-chaturvedi self-assigned this Jul 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Gitlab OAUTH_CALLBACK_ERROR invalid_client #321

Gitlab OAUTH_CALLBACK_ERROR invalid_client #321

sgohl commented Jul 31, 2024

rohan-chaturvedi commented Jul 31, 2024

sgohl commented Aug 16, 2024 •

edited

Loading

rohan-chaturvedi commented Sep 17, 2024

sgohl commented Sep 17, 2024 •

edited

Loading

rohan-chaturvedi commented Sep 17, 2024

Apkahym commented Sep 17, 2024

rohan-chaturvedi commented Sep 18, 2024

Apkahym commented Sep 18, 2024 •

edited

Loading

sgohl commented Sep 24, 2024 •

edited

Loading

rohan-chaturvedi commented Sep 25, 2024

nimish-ks commented Sep 25, 2024

nimish-ks commented Sep 27, 2024

Gitlab OAUTH_CALLBACK_ERROR invalid_client #321

Gitlab OAUTH_CALLBACK_ERROR invalid_client #321

Comments

sgohl commented Jul 31, 2024

Describe the bug

To Reproduce

Expected behavior

Platform you are having the issue on:

Additional context

rohan-chaturvedi commented Jul 31, 2024

sgohl commented Aug 16, 2024 • edited Loading

rohan-chaturvedi commented Sep 17, 2024

sgohl commented Sep 17, 2024 • edited Loading

rohan-chaturvedi commented Sep 17, 2024

Apkahym commented Sep 17, 2024

rohan-chaturvedi commented Sep 18, 2024

Apkahym commented Sep 18, 2024 • edited Loading

Github App Config

Docker compose file

.env

Nginx Dockerfile

Nginx Conf

Logs

Backend

Frontend

nginx

Worker

Postgres

Redis

sgohl commented Sep 24, 2024 • edited Loading

rohan-chaturvedi commented Sep 25, 2024

nimish-ks commented Sep 25, 2024

nimish-ks commented Sep 27, 2024

sgohl commented Aug 16, 2024 •

edited

Loading

sgohl commented Sep 17, 2024 •

edited

Loading

Apkahym commented Sep 18, 2024 •

edited

Loading

sgohl commented Sep 24, 2024 •

edited

Loading