The index page loads, but then when I click admin login. I get a 400 malformed request: Invalid redirect uri
The redirect url is well formed but in my browser console I get this error.

GET
http://localhost:8080/auth/v1/oidc/authorize?client_id=rauthy&redirect_uri=http://localhost:8080/auth/v1/oidc/callback&response_type=code&code_challenge=97GbYIUOZRKgJkrLaiyPL4FAyVv617A4IwyL0ueYO-M&code_challenge_method=S256&scope=openid+profile+email&nonce=2PDS7L1qt9jT7UDFq6JvWtIf&state=admin
[HTTP/1.1 400 Bad Request 1ms]

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

and I can source that to frontend/svelte.config.js:23

'script-src': ['self', 'wasm-unsafe-eval'],

I can't mess with this without breaking the entire app unfortunately.

Also, the docker image works perfectly. It's just when I try to run it from the just file on my local machine when I get issues.

Adding 'unsafe-inline' to line 23

'script-src': ['self', 'wasm-unsafe-eval', 'unsafe-inline'],

Causes this warning (and no fix)

  Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified

My guess is that it is coming from

frontend/src/routes/oidc/authorize/+page.svelte

Since the route I am trying to access unsucessfuly is http://localhost:8080/auth/v1/oidc

But also because frontend/src/routes/oidc/authorize/+page.svelte contains the word nonce
unfortunately this is the first time I've ever looked at a .svelte file so I'm not sure what I'm looking at exactly.

Edit 1:

Okay so it looks like we pull the nonce from the query in the url so the nonce is nonce=2PDS7L1qt9jT7UDFq6JvWtIf

But this only is set on_mount, and there is a flash before I get this error. So what happens before that? Could the error because by nonce being initiated to '' ?

I hardcode the nonce to

let nonce = 'jw1XcRxdnwXT08HbnCVB45Qr';

Not because this will fix anything, but can I cause a different error? Unfortunately, no same error.

I am getting this message "You need to enable javascript" in my response, although that isn't being displayed anywhere on the page just in the body of the response of the 400 get request that set this whole chain off.

I see that is from BrowserCheck on this login page, under a noscript header. I assume I am triggering it becaues the javascript is inline and apparently that's not being allowed?

What's interesting is that when I run the docker image. I actually get the same error

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

Except that it sucessfully redirects me to the email login page so I never noticed before!
Edit 2:

Okay, I think the url nonce and the nonce in the scripts are different. So what I'm going to do is this follow the csp guides and add nonces
https://kit.svelte.dev/docs/configuration#csp

Edit 3:

Even though the csp guide suggests this is done automatically in some capacity, I mass replace <script> with <script %sveltekit.nonce%> in every svelte file (but ignore, templates, html etc)

Nope, that does nothing.

I forgot to mention that I am also getting this error on the first time I click Admin login

XHR GET
http://localhost:8080/auth/v1/oidc/sessioninfo
[HTTP/1.1 401 Unauthorized 2ms]

Could that be something? I'm off to investigate!

Edit 4:
Okay so we probably don't have a session and are getting the unauthorized response from the handler.

Let's go back to the error message and try to answer some fundamental questions.

Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

The page's settings , well what are the page's settings?

content-security-policy | frame-ancestors 'none'; object-src 'none';

Hmm neither of those are relevant.

If I just disable the csp by deleting all of the directives I actually don't get the error in the console.but I still get the error displayed on the web page and the no javascript response. Hmmm.

The reason is most probably very simple: ´PUB_URL

# The Public URL of the whole deployment
# The LISTEN_SCHEME + PUB_URL must match the HTTP ORIGIN
# HEADER later on, which is especially important when running
# rauthy behind a reverse proxy. In case of a non-standard
# port (80/443), you need to add the port to the PUB_URL
PUB_URL=localhost:8080

I guess you have set it to something else, right? This error is coming from the backend, because the params are validated for each client. But, when you have a different config, for instance 127.0.0.1:8000 in your PUB_URL and you try to access Rauthy via localhost:8000, it will throw an error. Each client can only redirect to the URLs configured for it.

Rauthy has anti-lockout features. This means, even if you mess with the rauthy clients settings in the UI and lock yourself out, you can just restart the app with the correct setting and it will reset the rauthy clients data properly. This is done here:

I guess you simply have a difference in your config and the way you try to access Rauthy.
For instance, I sometimes use an external build host in my development. Lets say it is running at 192.168.1.10. I then need to adopt the PUB_URL to this IP address and the correct port, so it all makes sense in the end.

Ah ha!
my pub url is:
PUB_URL=192.168.14.50:8443
So I set it to PUB_URL=localhost:8080
I had do to one more thing which was
LISTEN_SCHEME=http_https -> LISTEN_SCHEME=http
Thank you! This is the second time a solution has come from using the config file correctly (who knew??) :D
Thanks again!

Yes some config options really depend on your environment.

What would actually be very cool, if you could just write down what maybe some issues were for you while setting all of this up. Then we could add a section to the CONTRIBUTING.md or the Rauthy book.

What I would advice as well is that you put your own secrets and stuff that is specific for your environment not in the rauthy.cfg (because you could push this by accident), but instead in a .env file. This is in the .gitignore by default, so safe to put secrets inside there.

Will do! Thanks :)