Error with Redirect URI When Defined in get_login_redirect Using HTTPS with Nginx

[nimaxin]

Problem:

I am experiencing an issue with the fastapi-sso library when defining the redirect_uri within the get_login_redirect method instead of during the initialization of the GoogleSSO instance.

• When the redirect_uri is set during the initialization of GoogleSSO, everything works correctly under both HTTPS (with Nginx) and localhost.
• When the redirect_uri is moved to the get_login_redirect method, it works on localhost but fails with HTTPS behind Nginx.

Error:

The following error is encountered when attempting to log in with Google under HTTPS using Nginx:

oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: (invalid_request) 
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.

You can let the app developer know that this app doesn't comply with one or more Google validation rules.

Reproduction Steps:

1. Define the redirect_uri within the get_login_redirect method:

@app.get("/auth/google/login")
async def auth_init():
    async with sso:
        return await sso.get_login_redirect(
            redirect_uri="https://preprodxin.ddns.net/auth/google/callback",
            params={"prompt": "consent", "access_type": "offline"},
        )

2. Configure Nginx to serve the FastAPI application over HTTPS.
3. Attempt to sign in with Google OAuth.

Observed Behavior:

Works correctly on localhost.
It fails with HTTPS (Nginx) and returns the above error.

Expected Behavior:

Defining the redirect_uri dynamically within get_login_redirect should work consistently across environments, including HTTPS.

Environment:

fastapi==0.115.5
fastapi-sso==0.17.0
Python: docker image 3.11-slim
Nginx: docker image latest (1.27)
Running in a Docker container.

code example: https://github.com/nimaxin/fastapi-sso-nginx.git

[tomasvotava]

Hey, thanks for opening this issue and for the code example! I've actually stumbled upon the same thing just this week, it seems to me that the handling is different and if you pass the redirect_uri to get_login_redirect, you also need to pass it to verify_and_process, which is stupid and confusing. I'll take a look at what I can do about it, hopefuly this weekend.

[mohammadhasananisi]

I have the same problem. Does anyone have a solution?

[nimaxin]

Hi @mohammadhasananisi

Currently, due to this bug (or whatever you may call it), we cannot pass the redirect_uri to the get_login_redirect method directly.

You can use a similar approach as a workaround:
1. Set the redirect_uri directly in the GoogleSSO instance during its initialization.
2. Avoid passing the redirect_uri in the get_login_redirect method.

Here’s an example to illustrate this approach:

google_sso = GoogleSSO(
    client_id=settings.GOOGLE_CLIENT_ID,
    client_secret=settings.GOOGLE_CLIENT_SECRET,
    redirect_uri=f"{settings.DOMAIN}/auth/google/callback", # Set redirect_uri here. 
    allow_insecure_http=True,
)

@auth_router.get("/google/authorize")
async def google_authorize():
    async with google_sso:
        return await google_sso.get_login_redirect(
            params={"prompt": "consent", "access_type": "offline"} # Don't set redirect_uri here.
        )

@auth_router.get("/google/callback", status_code=status.HTTP_303_SEE_OTHER)
async def auth_callback(request: Request, db: DbSession):
    async with google_sso:
        google_user = await google_sso.verify_and_process(request)
    user_email = google_user.email
    ...

[mohammadhasananisi]

It worked, thank you very much.