Can't associate Draw.io with Gitlab (both self-hosted)

[pi3rrot]

Hello,

I'm using the last version in date of Draw.io v24.7.5 with Gitlab 17.2.2-ce.0 from omnibus installer on Debian 12.
I can't grant access to Draw.io in my Gitlab instance.

I have read the manual and set the values like
https://github.com/jgraph/docker-drawio/blob/dev/self-contained/README.md#gitlab

I replace the value https://gitlab.com/oauth/token without oauth/token because it redirect like oauth/token/oauth/authentication

It's under a Nginx reverse-proxy, with CORS values like

Nginx reverse-proxy :

        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self' https://gitlab.mydomain.fr; img-src * data:; media-src * data:; font-src * about:; style-src 'self' 'unsafe-inline';";

js/PreConfig.js file :

window.DRAWIO_PUBLIC_BUILD = false;
window.EXPORT_URL = 'https://draw.mydomain.fr';
window.PLANT_URL = 'REPLACE_WITH_YOUR_PLANTUML_SERVER';

window.DRAWIO_BASE_URL = 'https://draw.mydomain.fr'; // Replace with path to base of deployment, e.g. https://www.example.com/folder
window.DRAWIO_VIEWER_URL = 'https://draw.mydomain.fr/js/viewer.min.js'; // Replace your path to the viewer js, e.g. https://www.example.com/js/viewer.min.js

window.DRAWIO_LIGHTBOX_URL = null; // Replace with your lightbox URL, eg. https://www.example.com
window.DRAW_MATH_URL = 'math/es5';
window.DRAWIO_CONFIG = null; // Replace with your custom draw.io configurations. For more details, https://www.drawio.com/doc/faq/configure-diagram-editor

window.DRAWIO_GITLAB_URL = 'https://gitlab.mydomain.fr';
window.DRAWIO_SERVER_URL = 'https://draw.mydomain.fr/';
window.DRAWIO_GITLAB_ID = '16cfb06db2nonothisisnotthegoodone6435bbd38';
window.DRAWIO_GITLAB_SECRET = 'gloas-yieghaej1athisisnothegoodonetooohteb6coh2Fah6coopohling3i';
window.DRAWIO_CSP_HEADER= 'default-src \'self\'; script-src \'self\' \'unsafe-inline\'; connect-src \'self\' https://gitlab.mydomain.fr; img-src * data:; media-src * data:; font-src * about:; style-src \'self\' \'unsafe-inline\';';

urlParams['sync'] = 'manual';

It give me an error HTTP 400 when I try to grant access.

[davidjgraph]

Which is bad request. How, precisely, is the requested formed?

[pi3rrot]

Sorry my miss, this is it. (values are fakes for the paste)

https://draw.mydomain.fr/gitlab?code=ohqu9joba6yeeki6thee3diet9kie6eiwae3chuz8Ahziathaew6Oosheebeeyij&state=cId%3Dohqu9joba6yeeki6thee3diet9kie6eiwae3chuz8Ahziathaew6Oosheebeeyij%26domain%3Ddraw.mydomain.fr%26token%3Dohqu9joba6yeeki6thee3diet9kie6eiwa

[archcat111]

After clicking 'Authorize' in GitLab, the page redirects (302) to the draw.io URL, but the same error occurs.

[elmagnificogi]

same issue to me

your PreConfig.js header is not right

you could see some like：
(function() {
try {
var s = document.createElement('meta');
s.setAttribute('content', 'src 'self'; script-src 'self' https://code.jquery.com 'unsafe-inline'; connect-src 'self' https://你的gitlab; img-src * data:; media-src * data:; font-src * about:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src 'self' https://你的gitlab;');
s.setAttribute('http-equiv', 'Content-Security-Policy');
var t = document.getElementsByTagName('meta')[0];
t.parentNode.insertBefore(s, t);
} catch (e) {} // ignore
})();

it's about CSP， you maybe use a wrong header.

you could use my header, it's ok

DRAWIO_CSP_HEADER=default-src 'self'; script-src 'self' https://code.jquery.com 'unsafe-inline'; connect-src 'self' http://MY_SERVER_URL; img-src * data:; media-src * data:; font-src * about:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src 'self' http://MY_SERVER_URL;