Fix for Discord authentication invalid code in request error

[wildstoats]

Hello friends. Pouring through the open discussions it looks like many people are encountering Invalid "code" in request when attempting to use Discord authentication. I also encountered this and believe I have a solution.

TL;DR Version

Conditions

• You have SSL enabled.
• In the admin interface System -> SSL, Redirect HTTP requests to HTTPS is set to true
• In the admin interface Site -> General, the Site URL starts with http://

Steps to Resolve

• Change your Site URL from http://butt.holdings to the https://butt.holdings
• Restart the wiki server / service. If you're using Docker the command may be something like: docker restart wiki.
  • This is done to ensure the new site name takes effect. In my testing if I didn't restart the service I would get the error Invalid OAuth2 redirect_uri. YMMV.
• In the admin navigate to Modules -> Authentication -> Active Strategies -> Discord and confirm that the Configuration Reference section shows URLs that begin with https://
• Make sure to update your Discord OAuth2 redirect URL with the new value. See https://docs.requarks.io/auth/discord for details.
• Everything should work as expected now.

Caveats

• If HTTPS ever stops working on your site Discord auth will likely break. See the longer explanation of what's happening here for more details.
• An even easier fix would be to set all URLs to http:// and then disable Redirect HTTP requests to HTTPS but I HIGHLY recommend NOT doing this as it is insecure.

Longer Version

So why is this happening?

This screenshot shows a subset of the requests made during the Discord authentication process.

You'll notice that there's an HTTP 302 Found and then an HTTP 500 Internal Server Error. This is important. Let's dig into the redirect a bit.

What we see here is that Discord is making a login request on our behalf. It makes this request to http://butt.holdings/login/0037038c-a5ff-4bfa-9700-bf8efe19b260/callback?code=ZM62DtZwfY7yU1YaUBN9picTnWj2ID. Note that it includes the OAuth2 auth code.

However, we are configured to redirect HTTP requests to HTTPS since we want to be safe on the internet. So the server returns an HTTP 302 response telling our browser to make the same requests against the https:// URI scheme. This is where the problem arises.

For some reason the Location header in the HTTP 302 response is appending code again. So you'll see something like: https://butt.holdings/login/0037038c-a5ff-4bfa-9700-bf8efe19b260/callback?code=ZM62DtZwfY7yU1YaUBN9picTnWj2ID?code=ZM62DtZwfY7yU1YaUBN9picTnWj2ID. The callback endpoint can't handle this hence the invalid "code" in request error and subsequent inability to auth via Discord.

This is also why changing the site scheme to https:// allows Discord authentication to work properly. We aren't redirecting and munging up the request URL for the auth login callback endpoint.

What's to be done?

A more permanent upstream fix would be to change whatever is generating the HTTP 302 redirect to generate more well-formed URI query params. In this case ensuring that code isn't added twice and if there are multiple params to use & instead of two ?s.