VP + Nginx getting 400 bad request when login and 400 bad request when auth

[ranmalka-cs]

Hi,

I am using the latest version of nginx + vouch

I configured that with the latest example, but when I am trying to get to https://vouch.mydomain.com/login /auth I am getting 400

config.yaml

# bare minimum to get vouch running with google

#testing: true
#logLevel: debug
vouch:
  #vouch.testing: true
  logLevel: debug
  #testing: true
  domains:
  - mydomain.com
  cookie:
    secure: true
    domain: mydomain.com

oauth:
  provider: google
  # get credentials from...
  # https://console.developers.google.com/apis/credentials
  client_id: XXXX
  client_secret: XXXXX
  callback_urls:
    - https://vouch.mydomain.com/auth
  preferredDomain: mydomain.com
  # endpoints set from https://godoc.org/golang.org/x/oauth2/google````

nginx.conf
`    server { 
        # Setting vouch behind SSL allows you to use the Secure flag for cookies.
        listen 443 ssl http2;
        server_name vouch.mydomain.com;

        ssl_certificate /etc/letsencrypt/live/wildcard.mydomain.com-cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/wildcard.mydomain.com-privkey.pem;

        location / {
        proxy_pass http://127.0.0.1:9090;
        # be sure to pass the original host header
        proxy_set_header Host $http_host;
        }
    }`''

`    server { #splunk
        listen 443 ssl http2;
        server_name splunk.mydomain.com;
        #root /var/www/html/;

        ssl_certificate /etc/letsencrypt/live/wildcard.mydomain.com-cert.pem;
        ssl_certificate_key /etc/letsencrypt/live/wildcard.mydomain.com-privkey.pem;


        # send all requests to the `/validate` endpoint for authorization
        auth_request /validate;

        location = /validate {
        # forward the /validate request to Vouch Proxy
        proxy_pass http://127.0.0.1:9090/validate;

        # be sure to pass the original host header
        proxy_set_header Host $http_host;

        # Vouch Proxy only acts on the request headers
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";

        # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
        auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;

        # these return values are used by the @error401 call
        auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
        auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
        auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
        }

        # if validate returns `401 not authorized` then forward the request to the error401block
        error_page 401 = @error401;

        location @error401 {
            # redirect to Vouch Proxy for login
            return 302 https://vouch.mydomain.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
        }

        # proxy pass authorized requests to your service
        location / {
        # forward authorized requests to your service protectedapp.yourdomain.com
        proxy_pass http://<ipaddress>:8000;
        # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
        #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
        #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
        #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;

        # set user header (usually an email)
        proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
        # optionally pass any custom claims you are tracking
        #     proxy_set_header X-Vouch-IdP-Claims-Groups $auth_resp_x_vouch_idp_claims_groups;
        #     proxy_set_header X-Vouch-IdP-Claims-Given_Name $auth_resp_x_vouch_idp_claims_given_name;
        # optionally pass the accesstoken or idtoken
        #     proxy_set_header X-Vouch-IdP-AccessToken $auth_resp_x_vouch_idp_accesstoken;
        #     proxy_set_header X-Vouch-IdP-IdToken $auth_resp_x_vouch_idp_idtoken;
        }
    }`


logs
`{"level":"debug","ts":1739350217.9365466,"msg":"/login callback_url set to https://vouch.mydomain.com/auth"}
{"level":"info","ts":1739350217.9366372,"msg":"|302|  282.953µs /login","statusCode":302,"request":6034,"latency":0.000282953,"avgLatency":0.000168353,"ipPort":"127.0.0.1:52312","method":"GET","host":"vouch.mydomain.com","path":"/login","referer":""}

{"level":"debug","ts":1739350472.9453218,"msg":"/auth"}
{"level":"warn","ts":1739350472.945402,"msg":"/auth: could not find state in query "}
{"level":"info","ts":1739350472.9455986,"msg":"|400|   228.47µs /auth","statusCode":400,"request":6721,"latency":0.00022847,"avgLatency":0.000253738,"ipPort":"127.0.0.1:48804","method":"GET","host":"vouch.mydomain.com","path":"/auth","referer":""}`

I would like to understand how I can solve it,
the issue occur when I trying to re-login to one of my apps,

for example here
`https://vouch.mydomain.com/login?url=https://splunk.mydomain.com$request_uri&vouch-failcount=&X-Vouch-Token=&error=`