Google Oauth Connection Time Out

#1

Maybe simple question, but I’m lost.

I’ve got a domain (Domain.X) that Grafana is installed on (DigitalOcean Droplet). I’m trying to allow our main domain users sign up and log in using their G Suite account which is on another domain (Domain.Y). I’ve got everything just about working, button shows up, can click on it and choose your account, but when it tries to redirect back to Domain.X it times out and gives ‘ERR_CONNECTION_TIMED_OUT’.

I’ve got the following ufw rules:

To                         Action      From
--                         ------      ----
2222/tcp                   ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
8080/tcp                   ALLOW       Anywhere
3000/tcp                   ALLOW       Anywhere
2222/tcp (v6)              ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
8080/tcp (v6)              ALLOW       Anywhere (v6)
3000/tcp (v6)              ALLOW       Anywhere (v6)

The Grafana Server is active (running) without any errors.

This is how I’ve got my grafana.ini:

[server]
# Protocol (http, https, socket)
;protocol = https

# The ip address to bind to, empty will bind to all interfaces
;http_addr =

# The http port  to use
;http_port = 3000

# The public facing domain name used to access grafana from a browser
;domain = localhost

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://www.Domain.X:3000

# Log web requests
;router_logging = false

# the path relative working path
;static_root_path = public

[auth.google]
enabled = true
allow_sign_up = true
client_id = CLIENT_ID
client_secret = CLIENT_SECRET
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo
;allowed_domains = Domain.X www.Domain.X

I’ve also got the OAuth setup as follows:

Authorized JavaScript origins: 
https://www.Domain.X
https://Domain.X
https://www.Domain.X:3000
https://Domain.X:3000

Authorized redirect URIs: 
https://www.Domain.X/login/google
https://Domain.X/login/google
https://www.Domain.X:3000/login/google
https://Domain.X:3000/login/google

The OAuth consent screen is setup as follows:

Application type: Internal
Authorized Domains: Domain.X, Domain.Y
Application Homepage link: https://www.Domain.X/login

I’ve even added both the G Suite domain and the Grafana domain to the Domain verification within OAuth. I can log into it with the admin account. I just can’t log into it with any G Suite account. Is there something I’m missing?

#2

Nevermind, literally just figured it out by removing the port from the root_url.