Geo proxying: secondaries cannot initiate SSO when using separate URLs
Linking accounts / logging in doesn't work when SSO is initiated on the secondary Geo site with separate URLs:
That is because we're proxying the sign-in request to the primary. So logging in on a secondary through SSO means:
- A
POST /users/auth/gitlab
- Redirect to the SSO, with the
redirect_uri
generated by the primary, meaning the redirect URI is of the primary - The primary receives the callback at
GET /users/auth/gitlab/callback?code=
, but there's no CSRF token in the session since it wasn't "initiated" through this session, but the session on the secondary, so it errors out.
Potential idea would be to bypass the proxy for POST /users/auth/*
and requiring to add the secondaries URL to the SSO allowed redirect URLs but needs more testing, since I'm not sure yet that'll be enough.