Google Calendar redirect_uri_mismatch behind reverse proxy

[jeremyj]

Running calcom behind an nginx reverse proxy I get the following error when trying to add the Google Calendar integration:

Error 400: redirect_uri_mismatch
redirect_uri=http://<redacted>/api/integrations/googlecalendar/callback

Note the URI in http instead of https.
So it looks as though since calcom talks http with nginx it's sending an http callback to Google.

Any idea or suggestion on how to get this working?

Thanks

[krumware]

This seems environmental, but I'll do my best to help.
Are you doing edge termination of SSL?
Did you add an SSL endpoint into your acceptable callback URLs?
For example, this is how my generated GOOGLE_API_CREDENTIALS look

...
,"redirect_uris":["http://localhost:3000/api/integrations/googlecalendar/callback","https://cal.krum.io/api/integrations/googlecalendar/callback"],"javascript_origins":["https://cal.krum.io","http://localhost:3000"]}

just to clarify, it is configured that way for my local dev, as well as a deployed environment behind an nginx load balancer with SSL termination at nginx (also in kubernetes)

[jeremyj]

Hey @krumware,

Thanks for your answer.

Yes, I'm terminating SSL on nginx.
This my generated GOOGLE_API_CREDENTIAL:
... "redirect_uris":["https://<redacted>/api/integrations/googlecalendar/callback"] ...

I see there is no javascript_origins section, I don't remember seeing it mentioned in the docs. Should there be?

What I see from sniffing the traffic is that as soon the broswer calls GET /api/auth/session it receives a Set-Cookie response header with the correct value of next-auth.callback-url=https://<redacted>.
But when I go to add the calendar intergration and the browser calls POST /api/auth/callback/credentials? the app answers with an incorrect value Set-Cookie: next-auth.callback-url=http://<redacted>.

[krumware]

I'm not certain if the javascript_origins are necessary, it's been a minute since I generated them.
I have a hunch. What's your NEXT_PUBLIC_WEBAPP_URL? I know in the project there's something I've called out about the NEXT_AUTH_URL inheriting from the NEXT_PUBLIC_WEBAPP_URL, curious if this is a symptom

[jeremyj]

nope, it's correct:
NEXT_PUBLIC_WEBAPP_URL=https://

[krumware]

this sounds like something that would be an issue in core calcom/cal.com, unless it's configuration.
Just confirming, since configuration may be baked into some of the static site pages, you're building your own image with the configuration specified at build time, correct?

[jeremyj]

I have solved the issue though I'm not sure how 😄
It was either by rebuilding the image (I might have not rebuilt it after setting NEXT_PUBLIC_WEBAPP_URL) or by adding NEXTAUTH_URL then rebuilding.
I'll try to figure it out and post here to the benefit of anyone who might encounter the same problems I did 👍

[krumware]

It likely was that missing rebuild. Glad to hear that it's working, and thanks for the info!