Missing csrf cookie? Cname is proxied and my callback oauth google doesnt work anymore

Hello,

I use cloudflare for all my (sub) websites (so I proxy all cnames) and recently the callback route doesn’t seem to work anymore. The message is unauthorized.
As soon as I disable the proxy from the subwebsite/cname it seems to work again…and I get authorized and see the subwebsites content.

Maybe something is being blocked at cloudflare side? like this url? googleapis. com or googleusercontent. com?

What I’m trying to do (what my setup looks like): subwebsite. domain.com -> google oauth login <approved-rejected?> -> access to subwebsite. If the google oauth was not succesful it will show me unauthorized. When it is succesful it should show me the website’s content.

the log at that time is:

> time="2020-11-27T07:59:25Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_646464=64646471efae9e46ce1f0404ad8eaf82; Path=/; Domain=MYDOMAIN.COM; Expires=Fri, 27 Nov 2020 08:59:25 GMT; HttpOnly; Secure" hand
> ler=Auth host=DOMAIN.COM login_url="https:// accounts.google.com/o/oauth2/auth?client_id=XXX method=GET proto=https rule=default source_ip="XXX, XXX" uri=/                                                                                                                                                                                                            
> time="2020-11-27T07:59:28Z" level=debug msg="Handling callback" cookies="[__cfduid=dc566c5ac7026147b1c1c772a619627221606467549]" handler=AuthCallback host=oauth.MYDOMAIN.COM method=GET proto=https rule=default source_ip="XXX, XXX" uri="/_oauth?state=XXX"                                                                                                                                                                 
> time="2020-11-27T07:59:28Z" level=info msg="Missing csrf cookie" handler=AuthCallback host=oauth. MYDOMAIN.COM method=GET proto=https rule=default source_ip="XXX, XXX" uri="/_oauth?state=XXX"                                                                                                                                                                                                                                 
> time="2020-11-27T07:59:28Z" level=debug msg="Authenticating request" cookies="[__cfduid=dc566c5ac7026147b1c1c772a619627221606467549]" handler=Auth host=oauth. MYDOMAIN.COM method=GET proto=https rule=default source_ip="XXX, XXX" uri=/favicon.ico                                                                                                                                                                                                                                      
> time="2020-11-27T07:59:28Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_d04946=d049465b89c4243000cc1b01c6026c89; Path=/; Domain=MYDOMAIN.COM; Expires=Fri, 27 Nov 2020 08:59:28 GMT; HttpOnly; Secure" hand
> ler=Auth host=oauth.MYDOMAIN.COM login_url="https:// accounts.google.com/o/oauth2/auth?client_id=XXX" method=GET proto=https rule=default source_ip
> ="XXX, XXX" uri=/favicon.ico

I blanked all ip addresses.
maybe this has to do with that message “Missing csrf cookie”

thank you in advance

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.