Self managed - Grist/Google SAML/Traefik Need help with setup

Hi there guys how you doing? I was able to setup gist behind a traefik server with google auth the page opens, redirect to google…I log in on google the authorization apparently gets to grist but it simple doesn’t log on. I tried with regular session and now I’m doing with redis. but still nothing. Got tired of smashing my brains so I decided to ask for your help.

here is my log

2024-09-30 12:31:02.799 - debug: Auth[GET]: grist.mydomain.com /session/access/all customHostSession=, method=GET, host=grist.mydomain.com, path=/session/access/all, org=docs, email=anon@getgrist.com, userId=1, altSessionId=nQpevA8Z8kPY4gqiCuQWGG
2024-09-30 12:31:03.023 - debug: Auth[GET]: grist.mydomain.com /orgs/0/workspaces customHostSession=, method=GET, host=grist.mydomain.com, path=/orgs/0/workspaces, org=docs, email=anon@getgrist.com, userId=1, altSessionId=r2f7xuB2NwAR4WFWvK3x7R
2024-09-30 12:31:32.069 - info: SamlConfig: got SAML response for myemail@myseconddomain.biz (Alexandre Leitão) redirecting to https://grist.mydomain.com/
2024-09-30 12:31:32.071 - error: ScopedSession[g-2d274f802a90e4a1128489a131f7472ba8c33dcde8db582726daeefa2c70445a]: Error updating sessionStore: Error: failed to load session
2024-09-30 12:31:32.120 - debug: Auth[GET]: grist.mydomain.com / customHostSession=, method=GET, host=grist.mydomain.com, path=/, org=docs, email=anon@getgrist.com, userId=1, altSessionId=ox48NsThtR5DNX3CfbuuZ5
2024-09-30 12:31:32.550 - debug: Auth[GET]: grist.mydomain.com /session/access/active customHostSession=, method=GET, host=grist.mydomain.com, path=/session/access/active, org=docs, email=anon@getgrist.com, userId=1, altSessionId=o39xTnETBwFN96iEkgbn17

And here is my compose file. I anonymized all the address but I double checked all of them. Redis is accessible and everything seems to fine apart from not loading the session and not creating a cookie probably

version: '3'

services:
  grist:
    container_name: grist
    image: gristlabs/grist:latest
    networks:
      - traefik-stack_default
    restart: unless-stopped
    environment:
      - PGID=1000
      - PUID=1000
      - DEBUG=1
      - PORT=8485
      - GRIST_BOOT_KEY=notrealkey
      - APP_DOC_INTERNAL_URL=https://grist.mydomain.com
      - APP_DOC_URL=https://grist.mydomain.com
      - APP_HOME_URL=https://grist.mydomain.com
      - GRIST_SINGLE_ORG=docs
      - GRIST_ORG_IN_PATH=false
      - GRIST_SAML_IDP_SKIP_SLO=true
      - GRIST_SAML_SP_HOST=https://grist.mydomain.com
      - GRIST_SAML_IDP_UNENCRYPTED=true
      - GRIST_SAML_IDP_LOGIN=https://accounts.google.com/o/saml2/idp?idpid=notrealkey
      - GRIST_SAML_IDP_LOGOUT=https://grist.mydomain.com
      - GRIST_SAML_IDP_CERTS=/google/Google_2029-9-29-3912_SAML2_0.pem
      - GRIST_SAML_SP_KEY=/google/file_private_key.key
      - GRIST_SAML_SP_CERT=/google/certificate.crt
      - GRIST_DOMAIN=https://grist.mydomain.com
      - GRIST_SESSION_SECRET=notrealkey
      - GRIST_SESSION_COOKIE_DOMAIN=grist.mydomain.com
      - ALLOWED_ORIGINS=https://grist.mydomain.com
      - GRIST_FORCE_SECURE_COOKIES=true
      - HTTPS=true
      - REDIS_URL=redis://redis:6379
    ports:
      - "8485:8485"  # Port mapping for testing purposes in case Traefik has issues
    volumes:
      - /mnt/storage/grist/data:/persist
      - /mnt/storage/grist/google:/google #certificates are here
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.grist-rtr.entrypoints=websecure"
      - "traefik.http.routers.grist-rtr.rule=Host(\"grist.homelab.mydomain.com\") || Host(\"grist.mydomain.com\")"
      - "traefik.http.routers.grist-rtr.tls=true"
      - "traefik.http.routers.grist-rtr.tls.certresolver=production"
      ## HTTP Services
      - "traefik.http.routers.grist-rtr.service=grist-svc"
      - "traefik.http.services.grist-svc.loadbalancer.server.port=8485"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.grist-rtr.middlewares=https-redirect"

networks:
  traefik-stack_default:
    external: true
and finally this is how my cookie window looks like when I log in
![image|690x233](upload://cp05PTXhGJR2iv8SpnV5PPko6QE.png)

It does look like the issue is related to cookies. Looks like you intended to attach a file to show some details of cookies, but it didn’t work?

cookie is empty thats why I didnt attach it

the problem is why… its going to google… it is authenticaticating… google is sending me back to /assert page… but cant get in

For one, this post shares a setup that works: A template for self-hosting Grist with traefik and docker compose - #25 by yala1

The network and traefik configuration seem the most relevant, given your symptoms.

For debugging, I would suggest looking at the Network tab of the console, and logging in again. When examining the requests and responses, I’d expect the first visit to Grist to set a session cookie (grist_sid) in the response, then after redirection, the browser should send this cookie back to Grist in the request.

BTW, I am not familiar with GRIST_FORCE_SECURE_COOKIES variable – I am not sure it’s a thing.