phpapachemod-rewriteoauth-2.0hybridauth

hybridauth 2.13.0 + Google authentication


I've been using hybridauth for social login on my website (PHP 7.0) for quite few years.

I now updated it to version 2.13.0 (latest stable at the moment)

I did manage to configure and make work properly Facebook, Twitter, Linkedin.

I'm stuck with Google. Here the config:

"Google" => array(
                "enabled" => true,
                "keys" => array("id" => "$social_google_id", "secret" => "$social_google_secret"),   
                "scope" => "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"  
            ),

All is fine but it looks like the redirect url sent back by Google is generating a misunderstanding in path at server level as I get the message:

Forbidden

You don't have permission to access /hybridauth/ on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

the url string is: https://example.com/hybridauth/?hauth.done=Google&code=4/5QDkTNFvdiPkmQCct6m0bJ5Y_j0VjRSITw6EMn3NjyT6HPlrThx0iK5NrXkdxWnYoE0V_Y0ALV6iayHBuCb8Pk&scope=email+profile+https://www.googleapis.com/auth/userinfo.profile+https://www.googleapis.com/auth/userinfo.email

If I cut the final part to: https://example.com/hybridauth/?hauth.done=Google&code=4/5QDkTNFvdiPkmQCct6m0bJ5Y_j0VjRSITw6EMn3NjyT6HPlrThx0iK5NrXkdxWnYoE0V_Y0ALV6iayHBuCb8Pk&scope=email+profile

Then it works and I get the data from the user

I tend to think it has to do with the slashes in the Google scope.

Any idea on how to sort it? Maybe a rewrite rule in .htaccess?

EDIT

I checked again and the offending part is ".profile"

In fact if I specify ONLY the scope for email it works... Issue is that I need also the username... Any idea?

Here the error_log from Apache

[Sat Feb 02 08:26:31.790178 2019] [:error] [pid 4117:tid 47611986818816] [client 94.39.134.131:52882] [client 94.39.134.131] ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".profile" at ARGS:scope. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/08_Global_Other.conf"] [line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access Attempt||example.com|F|2"] [data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.email https:/www.googleapis.com/auth/userinfo.profile"] [severity "CRITICAL"] [tag "CWAF"] [tag "Other"] [hostname "example.com"] [uri "/hybridauth/"] [unique_id "BFVTJ0Unmh26fJ3XSeVQFeABAAE"], referer: https://accounts.google.it/accounts/SetSID


Solution

  • Ok, for anybody incurring in this issue, it's confirmed it's a server side setup.

    I contacted my hosting provider and they confirmed the problem is a false positive:

    They said:

    "Block was related to WAF mod_security server side which can generate false positive. We excluded the rule which caused that behaviour"

    Once done that all worked properly