The wiki has been just migrated from one server to another. It all runs on the same domain name. After updating the DNS to point to the new server, when accessing the wiki everything seems to be working fine but one thing:
- Google Auth creased working on the wiki (local login works fine; have admin access).
I have accessed the wiki's Configuration Manager and did some checks as well as the Google Cloud Project, and checked that the Google OAuth plugin config is correct (even re-fetched the secret key).
What I am experiencing is a 403 Forbidden when using the Google login flow with the user account that owns the project in Google Cloud. I did not have such a problem before the migration (a couple of days ago), so I assume that something went amiss on the move.
The steps that describe my actions and what I see would be:
- Open private window to the wiki, to be landed to the auth screen, where I am offered with local login (pass) and Google button
- I click the Google button and I am redirected to the Google Auth screen
- I select the Google account that is admin in the wiki and owns the project for the OAuth in Google Cloud (the email address matches)
- I am shown with the 403 Forbidden Screen
When I check the Network TAB (in Dev Tools of the browser) in a private window, what I observe from the moment that in Google Auth screen I select my user is:
200
for POST
to accounts.google.com
(https://accounts.google.com/_/signin/oauth?authuser=0&hl=en-GB&_reqid=122800&rt=j)
302
(redirect status response) for GET
from accounts.google.com
(https://accounts.google.com/signin/oauth/consent?authuser=0&part=omitted&as=omitted&client_id=omitted&theme=omitted&pli=1&rapt=omitted). The parsed response body says: Server Error 403 Forbidden (You do not have permission to access this document.) <-- this rather seems the response of my server though. The response headers give as Location the url that is requested next in the flow (see step 3 below): I think that Google tried accessing that url themselves with the same result as step 3 below?. Google also inserted a 3p3
header param that links to this page.
403
for GET
from wiki.domain.tld
(https://wiki.domain.tld/doku.php?state=omitted&code=omitted&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&hd=domain.tld&prompt=consent)
It says Refer to policy: strict-origin-when-cross-origin
.
I think that the problem could be at certificate level? So wiki.domain.tld
vs domain.tld
certificate? So unrelated to any wiki configuration.
In the Google Cloud Project, in the Authorised JavaScript origins (of Credentials) I have both domain and subdomain in this order added as authorized domains:
domain.tld
wiki.domain.tld
I am unsure if this is correct, though... The url of the last captured request (GET wiki.domain.tld
) has a parameter hd=domain.tld
, rather than hd=wiki.domain.tld
... could this be the reason? I am sorry but got short of ideas on what could have happened.