gunicorn is running behind an AWS ELB.

I enabled google+ and the people API

using the allowed redirect uri's:
https://confidant.example.com
https://confidant.example.com/v1/login

400. That’s an error.
Error: redirect_uri_mismatch

The redirect URI in the request, http://confidant.example.com.au/, does not match the ones authorized for the OAuth client. Visit https://console.developers.google.com/apis/credentials/oauthclient/585383940121-etq6mgot8mmd7q4bi.apps.googleusercontent.com?project=58540121 to update the authorized redirect URIs.

I checked and http scheme uri is not anywhere in the credential configuration.

If I add the unused http:// scheme URI's to the allowed redirect URI's

http://confidant.example.com
http://confidant.example.com/v1/login

I get prompted an Oauth privacy screen I click allow and it posts

POST /o/oauth2/approval?hd=example.com.au&as=-72bf7555&pageId=none&xsrfsign=APd5Au-3o4Q-eIcsrShTb HTTP/1.1

And responds with a HTTP/2.0 302 Found to http://confidant.example.com instead of https.

Looks like I just need to modify settings.py or set REDIRECT_URI like the other env vars.

https://github.com/lyft/confidant/blob/1.1/confidant/authnz/userauth.py#L126-L127

Sorry for the spurious report.

Still redirects to http instead of https with the REDIRECT_URI env var set. I can see it with ps auxef.

Also hardcoded it in settings.py

# Google Auth
export REDIRECT_URI='https://confidant.example.com.au'
# The client id and consumer secret from the google developer console.
export GOOGLE_OAUTH_CLIENT_ID='foo.apps.googleusercontent.com'
export GOOGLE_OAUTH_CONSUMER_SECRET='foo'
export GOOGLE_AUTH_EMAIL_SUFFIX='example.com.au'

I tcpdumped all outgoing traffic during an attempted login on the confidant box.

As you can see, confidant is ignoring the redirect URI and sending the URI to Oauth as http scheme (even when its hardcoded in the redirect() )

SSLify is on of course.

HTTP/1.1 302 Found
Server: gunicorn/19.3.0
Date: Tue, 24 May 2016 21:22:45 GMT
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Location: https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=foobar&redirect_uri=http%3A%2F%2Fconfidant.example.com.au%2F&response_type=code&client_id=foobar.apps.googleusercontent.com
Set-Cookie: confidant_session=foobar; Expires=Fri, 24-Jun-2016 21:22:45 GMT; HttpOnly; Path=/
Set-Cookie: confidant_session=foo.bar; Expires=Fri, 24-Jun-2016 21:22:45 GMT; HttpOnly; Path=/
Content-Length: 0
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'

workaround

I added a 80 -> 80 listener on my ELB

and an Nginx forced ssl rewrite.

This requires modifying the Oauth with the following, Oauth doesnt seem to mind after the initial 302.
###authorized redirect_uri
http://confidant.example.com.au
http://confidant.example.com.au/v1/login
http://confidant.example.com.au/ #note it did not work till I added this URI

###I was able to leave the JS domain to https scheme.

https://confidant.example.com.au/

    server {
        listen 80;
        server_name confidant.example.com.au;
            rewrite ^(.*)$ https://confidant.example.com.au$1;
    }   

I think you're running into this issue: #50

You should be able to either set the FORWARDED_ALLOW_IPS environment variable, or set --forwarded-allow-ips=*. Without doing this, gunicorn will strip the X-Forwarded-* headers, and the authomatic won't know it needs to change the protocol.

Thanks Ryan, Ill give it a shot.

Do you accept PR on the Doc? I would like to add this as the doc recommends a particular way of running gunicorn and also to use an ELB, Which will not work.

Yeah, we're happy to accept PRs on docs without signing our CLA. We're happy to consider all PRs, if you sign the CLA :)

Thanks Ryan, I can confirm the --forwarded-allow-ips=* works correctly.

Ill do my best to find time this week to get a PR going. Ive found a few things which would definitely help new users.

Awesome. Thanks!