Skip to article frontmatterSkip to article content
Site not loading correctly?

This may be due to an incorrect BASE_URL configuration. See the MyST Documentation for reference.

Earthscope GeoLab Login Failure due to mismatched redirect URL

FieldValue
Impact TimeApr 6 at 08:30 to Apr 6 at 23:36
Duration15h 6m 11s

Overview

The earthscope community reported total login failures on their hub via our support system: https://2i2c.freshdesk.com/a/tickets/5413. This was fixed by explicitly setting oauth redirect config instead of relying on guessing via HTTP headers: 2i2c-org/infrastructure#8053

Resolution

Where We Got Lucky

  1. An engineer in the US timezone was available

  2. The community found the issue and escalated it before they had a workshop

What Went Well

  1. Our phased rollout means we have been able to handle issues one at a time as they come, instead of being overwhelmed with them in one go

What Didn’t Go So Well

  1. The community spotted the issue, and our automation did not catch this at all.

Action Items

Timeline

TimeEvent
8:16AM2i2c-org/infrastructure#8049 was merged Migrates from ingress-nginx to nginx-ingress, as part of a phased rollout
10:30PMhttps://2i2c.freshdesk.com/a/tickets/5413 arrives, with earthscope reporting login failures to us
10:52PMIncident acknowledged and investigated
11:03PM2i2c-org/infrastructure#8053 is deployed manually, fixing the issue OAuthenticator is guessing the callback URL, and we suspect tornado can’t quite get it right with nginx-ingress. Explicitly setting the callback URL fixed the issue for GeoLab, and we verified that no other hub using OAuth is relying on the guessing behavior
11:06PMTriggered by Yuvi Panda through the website. Description: Earthscope GeoLab Login Failures (View Message) INCIDENT #2080 Earthscope GeoLab Login Failures
11:36PMResolved by Yuvi Panda through the website. INCIDENT #2080 Earthscope GeoLab Login Failures

Apr 7, 2026

TimeEvent
12:00 AMnginx-ingress only sets X-Forwarded-Proto, while ingress-nginx set X-Forwarded-Proto and X-Scheme We compare logs from a past hub that was on ingress-nginx and the earthscope hub, obtainable by triggering any error on the hub. We notice that nginx-ingress sets both XScheme and X-Forwarded-Proto, while ingress-nginx only sets X-Forwarded-Proto. However, X-Forwarded-Proto is appended to by every hop, and so by the time it reaches the hub, its value is https,http - it’s appended to by configurable-http-proxy, using this code https://github.com/http-party/node-http-proxy/blob/9b96cd725127a024dabebec6c7ea8c807272223d/lib/http-proxy/passes/webincoming.js#L78. configurable-http-proxy did not do this for X-Scheme, so it passed through unchanged. Tornado prefers X-Scheme over X-Forwarded-Proto (https://github.com/tornadoweb/) tornado/blob/0ca3c5f8279d402b245718d16522bc18a8f5d958/tornado/ httpserver.py#L352) so guessing the URL worked fine when X-Scheme was set to https. But when X-Scheme isn’t set, and X-Forwarded-Proto is https,http, tornado interprets that as http (tornado/httpserver.py). This breaks the guessing.
Incident reports
Unable to provision new TLS certificates across 2i2c hubs
Incident reports
TLS certificates expired for two 2i2c hubs