OAuth issues with gmail.com domain?

I set up several tests using the zrok frontdoor service (zrok.io) as follows:

  1. OAuth (google) settings: *@myworkemail.com
  2. OAuth (google) settings: mypersonalemail@gmail.com
  3. OAuth (github) settings: mypersonalemail@gmail.com

Number one worked without a hitch, and as a test my co-worker was able to sign in with their email and access the web service too. However the tests with my personal email consistently return the zrok "unauthorized" page. I'm guessing this is related to the use of the gmail.com domain or the lack of wildcard character?

Where could I look to more details or logs on this issue?


I tested successfully with my personal @gmail.com login. I suspect your browser may have state for multiple Google accounts. Do you get the same result with an incognito/private tab?

When it wasn't working, had you specified multiple patterns like this?

zrok reserve public --oauth-provider google --oauth-email-address-patterns my.personal.email@gmail.com --oauth-email-address-patterns my.other.personal.email@gmail.com

Or was it only a single pattern? I'm asking because if multiple patterns exist, they must be set with separate flags in the same command, not a comma-or-space-separated list.

I tried incognito, safari, chrome, clearing cookies, still unauthorized.

I'll look at the logs when I'm back with my computer to see the full zrok command, but I do know that I specified a string like so:
1: ZROK_OAUTH_EMAILS="*@myworkemail.com"
2/3: ZROK_OAUTH_EMAILS="mypersonalemail@gmail.com"
in zrok-share.env for frontdoor


1 Like

Cool, thank you. Are you running the zrok-share package version 0.4.26? In that latest version (link to release notes), I changed the command line to match the new flag --oauth-email-address-patterns introduced in zrok 0.4.25 that matches the pattern as a glob.

Before 0.4.25, zrok used the flag --oauth-email-domains and matched on trailing characters.

You can check the zrok controller version like this to see which form is expected by your zrok instance.

❯ curl -sf https://api.zrok.io/api/v1/version
"v0.4.26 [f1c9f11e]"

Hey, here is the command that the zrok-share package is running after reading my zrok-share.env:
zrok reserve public --json-output --unique-name pm4control --backend-mode proxy --oauth-provider github --oauth-email-address-patterns 'tristanryerparke@gmail.com'
Controller version is:
"v0.4.26 [f1c9f11e]"
I'm still getting the 'unauthorized' error on incognito and normal tabs.

I have a hypothesis, but it seems like a long shot. Maybe the canonical form of your GMail mailbox address has stop characters (period .)? I expected the normalized form to be stripped of periods and any suffix including the + character, but maybe your "real" GMail address has periods in it?

If so, that's the same form you must use in the email address pattern, even though GMail.com ignores . characters in the prefix@ for mailbox and Google Groups distro addresses.

Both tristanryerparke@gmail.com and tristan.ryer.parke@gmail.com are treated as aliases by GMail, but only the form that shows up in your Google account info will match the email address pattern.

For example, if my GMail mailbox name is "acmeboxen" and I set a pattern like --oauth-email-address-patterns acme.boxen@gmail.com then I'll unauthorized.

I'm having this same issue with frontdoor OAuth.

I've only tried using github as the OAuth provider, and I have not tried wildcarding anything, only an explicit email address. I am also using a gmail.com address. I only have one email address specified for ZROK_OAUTH_EMAILS, so I don't think it's an issue of multiple patterns or incorrectly separated patterns in the variable.

Like twisteddog, I also tried incognito, different browsers, clearing cookies, etc. and still see the Unauthorized splash page each time.

The canonical form of my email address doesn't have stop characters in it, only alpha characters.

My output for version is:

$ curl -sf https://api.zrok.io/api/v1/version
"v0.4.26 [f1c9f11e]"

I'm happy to dig into this to try and figure it out. Are there logs I can be providing that would be helpful?

One thing I just thought of is that I do have multiple emails associated with my github account, and the secondary email does have stop characters in it. My primary email does not though.

Welcome @craig-cogdill, and thanks for those details. I believe that GitHub's OAuth2 flow always uses the primary email address. Logging in with GitHub will only work if the allowed email address pattern in your zrok command matches the primary email on your GitHub.com account.

link to GitHub profile settings

❯ gh api graphql -f query='
query {
  user(login: "mygithubhandle") {

  "data": {
    "user": {
      "email": "my@primary.example.com"

@qrkourier Where could I look for logs related to my "unauthorized" issue?
I've switched to basic auth for the time being but would prefer to figure out why oauth is not working, and solve the problem.

I think you're trying to use GitHub Oauth with a zrok.io public share.

I suspect that you're logging in with an email address other than the primary email on your GitHub.com account.

Please check which one is marked "primary" in Sign in to GitHub · GitHub

Your public share backend won't show any logs unless Oauth succeeds. Those logs are emitted by the zrok frontend which is hosted by zrok.io in this case, if I understood correctly.