I successfully have used Vouch + nginx on the same host using a port number, 9091. I decided to move vouch to a path in nginx. Once I did that, I get a 400 bad request return after the OKTA sequence has completed successfully.

Any help is appreciated

Here's my gist: https://gist.github.com/Smith-Chris1/80e11a760ee2c2a6bda7105364fa4369

line 223 shows localhost and but your VP config shows a much longer domain. Those must be aligned.

The warning in the logs for /authenticate/auth such as "/auth Invalid session state: stored %!s(<nil>), returned XBb1V24PP6bP4fahuZy87GU6s4aZcZ8" are essentially saying that it can't find the correct code in the session cookie.

I changed line 223 to the same domain and am still seeing the issue. I am doing this locally with my hosts file remapping 127.0.0.1 to the domain

Something must be wrong with the authorization cookie.

Do you see the cookie getting set in the /login response? It should include a session code. That cookie and code is later used in the /auth requests. Is it there? Does it include a path?

Does the browser operate in the same domain for the entire round trip?

If you continue to have problems, please update your gist with the current configs you're using and fresh logs. Also please include one run with testing enabled

ok - that's helpful. I see the VouchSession cookie in the /login request. But the domain is set to localhost. I'm not sure why its localhost, the only times I'm using localhost is in the proxy_pass config for nginx. I thought that was acceptable according to the examples in github?

@Smith-Chris1 are you still working this issue? If not could you please close it?

If you do still want help please do provide current configs and logs.

Thanks for following up - sorry for the delay. I think I'm nearly there, but am now getting this error:

{"level":"debug","ts":1709750896.2578976,"msg":"/auth/{state}/"}
{"level":"warn","ts":1709750916.2905672,"msg":"/auth Error while retrieving user info after successful login at the OAuth provider: Post \"https://myOktaDomain.okta.com/oauth2/v1/token\": net/http: TLS handshake timeout"}
{"level":"debug","ts":1709750916.2905893,"msg":"domain myserver.domain.co matched array value at [0]=domain.co"}
{"level":"debug","ts":1709750916.2905939,"msg":"setting the cookie domain to myserver.domain.co"}
{"level":"debug","ts":1709750916.290604,"msg":"rendering error for user: 400 Bad Request"}
{"level":"debug","ts":1709750916.2906082,"msg":"CaptureWriter.Write set w.StatusCode 400"}

What have you tried? Are you able to 'curl' the user info URL?

I am able to curl the user_info_url from the host I'm on. I notice that I am going through a proxy server though, not sure if that would affect anything

I am using the docker image and have configured it to run with this service file:

[Unit]
Description=Vouch-Proxy container
After=docker.service
Wants=network-online.target docker.socket
Requires=docker.socket

[Service]
TimeoutStartSec=0
Type=forking
Restart=always
RestartSec=10s
ExecStartPre=-/usr/bin/docker rm vouch-proxy-container
ExecStart=-/usr/bin/docker run --rm --name vouch-proxy-container --net=host -p 9091:9091 -v /path/to/config/config:/config quay.io/vouch/vouch-proxy
ExecStop=-/usr/bin/docker stop vouch-proxy-container
Type=simple
NotifyAccess=all

[Install]
WantedBy=multi-user.target

going through a proxy server

that's documented in the README

solved it in my env by not using the vouch docker image. thanks for the help and support.