Morning r/wordpress!
Ive been having a problem with \_some\_ of my sites, but not all, and I’m running out of ideas.
Two different plugins now, that require API authentication to google (google sitekit, and now wpmail smtp (using gmail)) are failing to authenticate to google in the same way.
In both cases, when I authenticate using google’s oauth, it takes me to the google page where I’d select what google account to authenticate, takes me to the page on google where I accept that i’m giving the app access to my google account. Then when it’s supposed to redirect back to my site to complete the process, it brings me to my site’s home page instead, breaking the authentication process.
​
I have three wp sites on the same host, not a multi-site setup, they are each containerized, and use an nginx reverse proxy to route incoming requests. One of these sites works perfectly for these authentication workflows, the other two do the same thing (redirect to the home page).
​
As far as I can tell, the htaccess and nginx configs are configured in the same way for each site, but I am now going over them with a fine-toothed comb to see if there is some difference I am missing.
​
Any ideas where else I might look?
​
Thanks!
​
\— added info
Watching the access logs on my server, i see the following after I submit the authentication on the google site, and get redirected to the home page of my site:
\`\`\`\[27/Dec/2022:14:01:07 +0000\] “GET /wp-admin/options-general.php?page=wp-mail-smtp&tab=auth&state=<redacted>-primary&code=<redacted> HTTP/2.0” 302 0 “[https://accounts.google.com/]” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0″\`\`\`
So its getting back to my site, but 302’s, i dont know if its \_supposed\_ to redirect, and is redirecting improperly, or if its not supposed to redirect at all.
​
\— added more info
Continuing to troubleshoot. I tried disabling every plugin on my affected site, didnt help. I tested that the rest api for wp seems to be working, and I believe it is (calls to the url for the api return api data…)
I went to my site that IS working, and re-configured sitekit, which meant going through auth again. Then i did the same on my affected site. As expected, the workflow worked on my working site, and did not on my affected site. I found the following.
Logs from affected site.
I see the following request after finishing google’s authentication workflow when enabling sitekit on my affected site. (i dont know if these sitekit-codes are sensitive, so im redacting them)
“GET /wp-admin/index.php?oauth2callback=1&code=sitekit-<redacted> HTTP/2.0” 302 0 “[https://sitekit.withgoogle.com/]” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0″Gecko/20100101 Firefox/108.0”
Then I see:
“GET / HTTP/2.0” 200 45241 “[https://sitekit.withgoogle.com/]” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0”
Then the logs go on to show my site loading the home page.
​
On my working site, i the same auth entry.
“GET /wp-admin/index.php?oauth2callback=1&code=sitekit-<redacted> HTTP/2.0” 302 0 “[https://sitekit.withgoogle.com/]” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0”
But then i see the setup in wordpress continue rather than going to /. WHY?!
“GET /wp-admin/admin.php?page=googlesitekit-splash¬ification=authentication\_success HTTP/2.0” 302 0 “[https://sitekit.withgoogle.com/]” “Mozilla/5.0
(Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0”
im not sure where to go from here. This feels like wordpress is getting back the oauth completion token, and then not behaving properly… What might make that happen?
​
\—ANOTHER UPDATE! I fee like im getting closer.
Ok, so the call-back url includes “&code=sitekit-fooo” in the url. I did some tinkering. I took the call back url and basically broke it up and fed it in manually piece by piece, as soon as “&code” is included in the url, it redirects to /.
I tried adding &code to random wp-admin urls, like “wp-admin/edit.php?post\_type=page” adding “&foo” just does nothing, since wp seems to just ignore it. adding &code takes me to /.
I did the same thing on my working site.. No redirect! It ignores &code the same as it would &anythingelse. my guess is that ive got some url injection protection or something at play… I do use wordfence, but I’d disabled it as part of my testing.. Must be something else.
[ad_2]