Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL_connect error for oauth2 on heroku #5674

Closed
MattMSumner opened this issue Feb 2, 2018 · 3 comments
Closed

SSL_connect error for oauth2 on heroku #5674

MattMSumner opened this issue Feb 2, 2018 · 3 comments

Comments

@MattMSumner
Copy link

When setting up oauth2 in a crystal app I could get everything running locally but upon deploying to heroku the oauth flow broke with:

SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (OpenSSL::SSL::Error)

We fixed this by copying the OAuth2 code and modifying it to accept a HTTP::Client instead of building one. Then we make ourselves a client that points to heroku's SSL certs:

class GoogleAccessToken
  private getter client

  def initialize(@client : HTTP::Client)
  end

  def get_using_authorization_code(authorization_code)
    get_access_token do |form|
      form.add("redirect_uri", OAuthWebHook::Index.url)
      form.add("grant_type", "authorization_code")
      form.add("code", authorization_code)
    end
  end

  private def get_access_token
    body = HTTP::Params.build do |form|
      form.add("client_id", GoogleOAuth.settings.consumer_key)
      form.add("client_secret", GoogleOAuth.settings.consumer_secret)
      yield form
    end

    headers = HTTP::Headers{
      "Accept" => "application/json",
    }

    response = client.post(token_path, form: body, headers: headers)
    case response.status_code
    when 200, 201
      OAuth2::AccessToken.from_json(response.body)
    else
      raise OAuth2::Error.from_json(response.body)
    end
  end

  private def token_path
    GoogleOAuth::TOKEN_PATH
  end
end

And then we built a client like so:

  private def client
    HTTP::Client.new(host: HOST, tls: context)
  end

  private def context
    context = OpenSSL::SSL::Context::Client.insecure
    context.verify_mode = OpenSSL::SSL::VerifyMode::PEER
    setup_ssl_certificates(context)
    context
  end

  private def setup_ssl_certificates(context)
    Dir.glob(settings.certs_glob).each do |file|
      context.ca_certificates = file
    end
  end

So a possible solution could be to change OAuth2 to accept an option HTTP::Client.
@MattMSumner
Copy link
Author

Example app that works for me locally but not when deployed to Heroku: https://github.com/MattMSumner/google-oauth2-example

And here it is deployed https://google-oauth-example.herokuapp.com

@MattMSumner
Copy link
Author

Possibly a duplicate of #5266

@RX14
Copy link
Member

RX14 commented Feb 2, 2018

Definitely a duplicate of #5266.

@RX14 RX14 closed this as completed Feb 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MattMSumner @RX14