Google OAuth2 on Azure and AWS retruns a 502 error

The following stackoverflow link is exactly the error that is occurring right now:

I’ve tried this on both AWS and Azure and have the same error. I cloned the servicestack.mvc code and tested it as is and also received the same error (I left the version of SS to 4.0.36, but also tried 4.0.44). I’ve tried older versions such as 4.0.9 as a test and that worked successfully.

Has anyone else encountered issues using Azure Websites or AWS EC2 in conjunction with Google OAuth2? Facebook works fine on both.

I also tried the approach suggested in the link above and while the 502 goes away it changes the permissions the app is requesting to “offline” and then fails.

Any assistance or insight would be appreciated.

Thanks.

Are you having the same problems when you are running your application locally? The linked answer was trying to work around a problem that was specific to Azure Websites (not Azure VMs or AWS EC2 instances). As stated in the answer, it’s not a nice work around and I still don’t know why Azure Websites throws a 502 under the circumstances shown in the linked GitHub repo that highlights the issue without any Google OAuth integration.

If you can reproduce it locally (or remotely on an EC2 instance hosted on IIS) are you able to get any more details, eg a stacktrace of the issue?

I’ve just pulled down the same ServiceStack.Mvc example, updated GoogleOAuth2 ClientID, secret, RedirectUrl and CallbackUrl to use my own domain, hosted it on an EC2 instance running IIS 8 and was able to authenticate correctly.

Some issues to look out for are:

  1. Ensure oauth.RedirectUrl and oauth.CallbackUrl are using the right URLs in the right environment
  2. That the correct URLs are also used in your registered application in the Google Developer Console
  3. I’ve found (with GoogleOAuth2) that incorrect case of endpoints can break integration, eg GoogleOAuth vs googleoauth

For the Mvc example, also ensure Redis is running locally on the default port of the instance. I switched from Postgres to Sqlite to get the example working and if you do the same, ensure that you give write permissions to the AppPool user for the directory of the sqlite db file.

If you get any more info about your problem, post it here or on SO. Hope that helps.

Thank you for investigating. I actually modified the mvc example to use the MemoryCachedClient instead of Redis myself.

The deployment mechanism I used for AWS was through the publish feature of the AWS .NET SDK that is installed into Visual Studio. This created an ElasticBean stalk application which provisions an EC2 automatically.

I assume you created an EC2 instance directly and installed IIS manually. I’ll try the same and report back. To answer the previous question, locally (localhost) the authentication works fine which lead me to believe my RedirectUrl and CallbackUrl were not the issue.

For Azure as well, I used the integrated publish feature from visual studio into the web apps. I can also try creating a new VM and installing IIS and take that route as well.

Thanks.

I did some further testing and focused specifically on AWS using only the mvc example. I was able to get it to work properly pulling the source and modifying the oauth parameters in the web.config and making the appropriate changes to my registered application in the google developer console.

I realized that the project was linking to the “libs” folder for its references and using older 4.0.36 version of ServiceStack as well as an older version of DotNetAuth dll.

I upgraded the version of ServiceStack to the current version 4.0.44 and received the error.

“Unexpected OAuth authorization response received with callback and client state that does not match an expected value”

Currently the failing site is at: http://ssmvc36.elasticbeanstalk.com/

It has the upgraded version of ServiceStack and the resulting error when attempting google authentication.

If you wouldn’t mind can you verify that your example used the latest release of service stack and if so, can I have a clone of you source (minus the auth keys of course).

Thanks.

Hi I’ve upgraded the http://mvc.servicestack.net website to use the latest v4.0.45 packages on MyGet so I can verify I’ve got the latest version.

I can repro the error so I’ve enabled Glimpse so I can inspect DotNetOpenAuth errors, which is due to this Exception:

I’m trying to track down the cause of this issue now. In the meantime I’ve committed the latest MVC Website in GitHub which as it has Glimpse configured and enabled is a good project to debug OAuth issues from.

1 Like

Hi looks like the issue is DotNetOpenAuth relying on ASP.NET Session State which is resolved with this workaround which I’ve just added in this commit.

This change is available from v4.0.45 that’s now available on MyGet, if you already had v4.0.45 installed you’ll need to remove your /packages folder to download the updated v4.0.45 packages.

The mvc.servicestack.net website is now working with the latest v4.0.45 packages.

I’ve now also disabled Glimpse from being viewed remotely so it doesn’t leak any user OAuth credentials. It’s still available when run locally.