Unable to log in with Slack OAuth


#1

I just installed Phabricator on an Ubuntu server, and I configured Slack as the only auth provider as our organization all uses Slack, and I don’t want everyone to manage a separate account.

Unfortunately when clicking the Slack log in button, nothing happens. Opening the console and clicking the button reveals the problem, but I don’t know how to fix it, if it’s a code bug or a config/install bug.

Refused to send form data to ‘https://myorganization.slack.com/’ because it violates the following Content Security Policy directive: “form-action ‘self’ https://slack.com”.

This is keeping me from rolling this out to my teams, so I’d really like to figure something out to fix it.


#2

I was able to pull the headers from that page, and it looks like form-action does show https://slack.com (which matches the error message) but it needs to be listed as https://myorganization.slack.com instead.

Is this CSP domain set using a config setting I can adjust, or is it hardcoded on this page?


#3

Probably: add something like this to PhabricatorSlackAuthProvider:

  protected function getContentSecurityPolicyFormActions() {
    return array('https://myorganization.slack.com');
  }

An upstream version of this patch needs significantly more work since we don’t know what myorganization is today.

A workaround is “use any browser except Chrome”, or “convince Chrome to change how it applies CSP to form POSTs which redirect”. See:

https://secure.phabricator.com/T13099#236875


#4

Interesting. So basically we’ll need to add another config field to the Slack Auth provider that asks for the Slack domain, so we can add it dynamically to fix the issue.

FWIW Safari has this same behavior now as well, so it may be more becoming a more common issue very soon.