Metabase working with curl but not from frontend

msar · April 11, 2025, 1:56pm

Hi everyone,
We are running Metabase on two of our kubernetes clusters: Staging and Prod.
On staging everything works, when I call metabase from the pod shell I get:

curl -v http://metabase.metabase/auth/sso?token=true&jwt=<secret_removed_1>
/ # * Host metabase.metabase:80 was resolved.
* IPv6: (none)
* IPv4: 10.4.42.9
*   Trying 10.4.42.9:80...
* Connected to metabase.metabase (10.4.42.9) port 80
* using HTTP/1.x
> GET /auth/sso?token=true HTTP/1.1
> Host: metabase.metabase
> User-Agent: curl/8.12.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 302 Found
< Date: Fri, 11 Apr 2025 13:45:41 GMT
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Last-Modified: Fri, 11 Apr 2025 13:45:41 GMT
< Location: https://studio.deepopinion.ai/
< Strict-Transport-Security: max-age=31536000
< Set-Cookie: metabase.DEVICE=423f9c96-4482-4add-8f14-2d792e476699; HttpOnly; Path=/; Expires=Tue, 11 Apr 2045 13:45:41 GMT; SameSite=Lax
< X-Permitted-Cross-Domain-Policies: none
< Cache-Control: max-age=0, no-cache, must-revalidate, proxy-revalidate
< X-Content-Type-Options: nosniff
< Content-Security-Policy: font-src *; script-src 'self' https://maps.google.com https://accounts.google.com    'sha256-9uFLu5CG8mWlvx0LK6lgendCxUX57TuWk3wkgZpBeWU=' 'sha256-isH538cVBUY8IMlGYGbWtBwr+cGqkc4mN6nLcA7lUjE=' 'sha256-3N2Z+Nu++/yNMVHIl863JigVmt2Nr9gt2doEMJT2Wzk='; style-src 'self' 'nonce-pPkxNAYvMw'   https://accounts.google.com; manifest-src 'self'; connect-src 'self' https://accounts.google.com metabase.us10.list-manage.com   ; img-src * 'self' data:; frame-src 'self' youtube.com *.youtube.com youtu.be *.youtu.be loom.com *.loom.com vimeo.com *.vimeo.com docs.google.com calendar.google.com airtable.com *.airtable.com typeform.com *.typeform.com canva.com *.canva.com codepen.io *.codepen.io figma.com *.figma.com grafana.com *.grafana.com miro.com *.miro.com excalidraw.com *.excalidraw.com notion.com *.notion.com atlassian.com *.atlassian.com trello.com *.trello.com asana.com *.asana.com gist.github.com linkedin.com *.linkedin.com twitter.com *.twitter.com x.com *.x.com; default-src 'none'; child-src 'self' https://accounts.google.com;  frame-ancestors 'none';
< Expires: Tue, 03 Jul 2001 06:00:00 GMT
< Transfer-Encoding: chunked
< Server: Jetty(11.0.24)
< 
* Connection #0 to host metabase.metabase left intact

Which looks fine to me, but when I call it from frontend I get this huge error:

There was an error: The authProviderUri endpoint must return an object with the shape {id:string, exp:number, iat:number, status:string}, got "<!doctype html><html><head><link rel=\"icon\" href=\"/favicon.png\"/><title>DeepOpinion Studio</title><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"/><meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/><style>.lsf-entities__header {\n height: 0px !important;\n }\n\n .lsf-radio-group {\n width: 180px !important;\n margin-left: 15px;\n }\n\n .lsf-entities__visibility {\n margin-top: -60px;\n margin-right: -24px;\n }\n\n .lsf-space_spread {\n\n width: 80% !important;\n }\n\n .lsf-entities__source {\n padding: 0 0px;\n }\n\n #label-studio div[class^=\"App_editor\"],\n div[class*=\"App_editor\"] {\n width: 95% !important;\n min-width: 95% !important;\n max-width: 95% !important;\n }\n\n #label-studio .ls-segment {\n top: 0;\n position: sticky;\n min-width: 0;\n width: 100%;\n background: #fff;\n padding: 1em;\n border-radius: 0.28571429rem;\n border: 1px solid rgba(34, 36, 38, .15);\n margin-bottom: 1em;\n }\n\n .ls-panel {\n display: none;\n flex-direction: column !important;\n justify-content: space-between !important;\n margin-bottom: 2rem;\n }\n\n #label-studio .ls-editor {\n margin-left: 3px !important;\n }\n\n #label-studio .ls-common {\n display: flex !important;\n }\n\n #label-studio .ls-menu {\n width: 320px !important;\n min-width: 320px !important;\n display: flex !important;\n /* flex-flow: column !important; */\n }\n\n .Controls_block__21XER {\n position: absolute;\n top: 20px;\n right: 20px;\n\n }\n\n .Controls_container__LTeAA {\n margin-bottom: 10px;\n }\n\n .ls-skip-btn {\n margin-right: 10px;\n\n }\n\n .Node_minimal__3sbyt>* {\n margin-right: 6px;\n }\n\n .Entity_row__3Ii1C {\n display: flex;\n white-space: pre-wrap;\n }\n\n .Node_minimal__3sbyt {\n display: flex;\n align-items: center;\n }\n\n .Entity_statesblk__2jpJN>span {\n display: block;\n }\n\n .Entity_labels__1voVE {\n word-break: break-word;\n }\n\n .ant-tag:hover {\n opacity: .85;\n }\n\n .Entity_tag__1B3eN {\n margin-bottom: 5px;\n white-space: normal !important;\n }\n\n .ls-entity-buttons {\n display: flex;\n justify-content: flex-start;\n align-items: flex-start;\n flex-wrap: wrap;\n margin-top: 1em;\n }\n\n .ant-btn:not([disabled]):hover {\n text-decoration: none;\n }\n\n .ant-btn {\n\n margin-bottom: 10px;\n margin-right: 10px;\n }\n\n button[aria-label=\"Settings\"] {\n display: none;\n }\n\n button[aria-label=\"Delete All Regions\"] {\n display: none;\n }\n\n .lsf-entities__header {\n display: none;\n }\n\n .lsf-space {\n display: grid;\n grid-gap: 18px;\n }\n\n\n .lsf-relations {\n display: none;\n }\n\n .lsf-radio-group {\n display: none;\n }\n\n .DOCUMENT_INFORMATION_EXTRACTION .narrowSection,\n .DOCUMENT_CLASSIFICATION .narrowSection,\n .TOKEN_CLASSIFICATION .narrowSection {\n width: 25% !important;\n }\n\n .DOCUMENT_INFORMATION_EXTRACTION .wideSection,\n .DOCUMENT_CLASSIFICATION .wideSection,\n .TOKEN_CLASSIFICATION .wideSection {\n width: calc(75% - 1px) !important;\n }\n\n .DOCUMENT_INFORMATION_EXTRACTION .ls-common,\n .DOCUMENT_CLASSIFICATION .ls-common,\n .TOKEN_CLASSIFICATION .ls-common {\n grid-template-columns: 88% 0px !important;\n }\n\n .DOCUMENT_INFORMATION_EXTRACTION .MuiTypography-root.MuiTypography-body1,\n .DOCUMENT_CLASSIFICATION .MuiTypography-root.MuiTypography-body1,\n .TOKEN_CLASSIFICATION .MuiTypography-root.MuiTypography-body1 {\n display: block;\n font-size: 14px;\n white-space: nowrap;\n width: 168px;\n overflow: hidden;\n text-overflow: ellipsis;\n }\n\n .DOCUMENT_INFORMATION_EXTRACTION .MuiTypography-root.MuiTypography-h1,\n .DOCUMENT_CLASSIFICATION .MuiTypography-root.MuiTypography-h1,\n .TOKEN_CLASSIFICATION .MuiTypography-root.MuiTypography-h1 {\n font-size: 16px;\n }\n iframe#jsd-widget {\n opacity: 0 !important;\n pointer-events: none !important;\n }\n iframe#jsd-widget.open {\n opacity: 1 !important;\n pointer-events: all !important;\n }</style><link rel=\"icon\" href=\"/static/favicon.png\"><script defer=\"defer\" src=\"/static/bundle.c4045a.js\"></script><script defer=\"defer\" src=\"/static/bundle.20cda3.js\"></script></head><body data-theme=\"Light Mode\"><div id=\"mount\"></div></body></html>" instead

This is the way we call the metabase endpoint in Typescript

  const token = jwt.sign(
    {
      email: process.env.METABASE_ACCOUNT_EMAIL,
      exp: Math.round(Date.now() / 1000) + 60 * 10, // 10 minutes expiration
    },
    process.env.METABASE_JWT_SHARED_SECRET || ""
  )

  const ssoUrl = `${process.env.METABASE_INSTANCE_URL}/auth/sso?token=true&jwt=${token}`

the envs are:

METABASE_JWT_SHARED_SECRET=<secret_removed_1>
METABASE_INSTANCE_URL=http://metabase.metabase

I've tried to change the SITE URL but nothing changes.

Sign in with Google: Active
JWT: Active

What are we doing wrong? I honestly don't know where to look anymore.

Any ideas please?

Luiggi · April 11, 2025, 4:10pm

you're doing a 302 there... check the error, it's going to a website

msar · April 14, 2025, 8:31am

I've tried to unset SITE_URL and set it with a different one, same error. And I don't think 302 is an error, it redirects to SITE URL I think