I had created a web application in Django,setup Google and Facebook O-auth(using python-social-auth) for login and hosted it on a domain - example.com.Many users had already registered on it using google sign in.However yesterday I setup ssl certificates for my website and upgraded to an https connection.Thereafter I went to the console.developers.google.com and changed the Authorized JavaScript origins to https://example.com and Authorized redirect URIs to https://example.com/soc/complete/google-oauth2/.Now oauth is working for new users however the old users are getting an error with error code 400(redirect_uri_mismatch) with the following message-
The redirect URI in the request,does not match the ones authorized for
the OAuth client.
I am guessing this is because the tokens created for the users had an http endpoint.How do I refresh those tokens to point to the new https url without creating any hassle for the existing users?
You can provide multiple URLs for redirect URl and origin, so simply make sure you've configured both http and https variants.
Related
I want to know can we use Django oauth Toolkit (DOT) as SSO server?
I am using Django Rest Framework in backend.
Steps I need to achieve :
On clicking the Login Button in the client server, it redirects to the server asking to authorise.
If already logged in it will return the auth code.
If not logged in open the log in prompt.
On successful login step 2 will followed.
Thanks.
Yes, DOT supports OpenID Connect so you can set it up as an SSO server.
Once configured, your server should have the o/authorize endpoint where you can redirect your clients when logging in. DOT will handle the authorization request for you (step 2-4).
With the authorization code, DOT also provides the o/token endpoint for access and id tokens request as well.
I'm trying to implement OAuth2 server for a RESTfull API with a login option through social platforms (Github, Facebook, Instagram) using Python and Falcon web framework.
But I've struggled to understand how this thing should work.
My current understanding led me to the following scheme:
1.1. On the API side, I'm creating an endpoint /auth/login/github which basically will tell the mobile app to redirect the client to the Github.com authorization page - github.com/login/oauth/authorize
1.2. On the Github authorization page user will be presented with the following screen:
1.3. After pressing Authorize user will be taken to the page specified in the callback parameter (Github OAuth service configuration) with the newly granted temporary authorization code. In my case URL will look like: my.api.com/auth/callback/github?code=AUTH_CODE
2.1. After receiving a callback request, I'm parsing/extracting passed Authorization Code and query Github.com from the backend in order to redeem Authorization Code and get Access Token (sending POST request using my Client ID and Client Secret to github.com/login/oauth/access_token)
2.2. If everything was successful Github will reply to my POST request with the Access Token, which I can use to get user profile details (e.g. e-mail)
3.1. Now that I know that authorization through the Github was successful (because I got users' email) I can grant my own Access Token to that user, so he can query my API endpoints. I do this just by adding randomly generating OAuth2 Token and inserting it into my database, simultaneously returning same token to the user by redirecting him to the mobile app using deep links (e.g.: myapp://token).
3.2. Finally mobile app can query my API endpoints by adding the following header to each request Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42
Does that make sense and is this the correct way of doing the social authorization for RESTfull API's?
I'm using Falcon as the web framework for this project and Authlib as the OAuth2 library.
Its one way for sure. And it looks alright.
I'm going to make it simpler, and maybe its a bit clear whats happening.
1.1 [Mobile APP] redirects user to github.com/oauth/authorize?client_id=CLIENT_ID with the client id you registered with github
1.2 [Mobile APP] user comes via a redirect to fancy.app/callback/github?code=AUTH_CODE (this is the callback url you configure on github)
1.2.1 [Mobile APP] call your API endpoint with the AUTH_CODE
1.3 [API] confirm with github the AUTH_CODE is valid.
Up to this point we have user authentication; the user isn't a random guy, is user xxx on github.com and you have the information you requested.
Now, if you need to authorise this user on your API, after 1.3:
1.3.1 [API] generate a token
1.3.2 [API] store the token in some persistent storage
1.3.3 [API] define some expiration time for the token (actually the AUTH_CODE from github should have some expiration, use that)
1.3.4 [API] return the token to the mobile APP
This token we've generated is what the Mobile APP will use to authenticate the user on the API; no further calls to github (until expiration at least).
1.1. On the API side, I'm creating an endpoint /auth/login/github which basically will tell the mobile app to redirect the client to the Github.com authorization page - github.com/login/oauth/authorize
Instead of hard coding /auth/login/github, how about making it a query parameter on your API so that you can quickly integrate separate OAuth2 providers (Google, Facebook, etc.)
Your endpoint URL would now look like /auth/login/?provider=github and your backend can provide the correct redirect url for the mobile app to go to. This means you can simply add new buttons for Facebook /auth/login/?provider=facebook and it would be minimal work.
When you receive the callback request, the URL may then look something like my.api.com/auth/callback/?provider=github&code=AUTH_CODE. You may also want to insert a new user record to your own database (if you have one), so you can prompt for extra info if required, I would do this in Django for example, since I require extra info on top of the data that is provided by third-party OAuth2 providers.
Overall, the approach looks sound.
I have a locally-run app that makes API calls to a website (tumblr.com). This involves setting some OAuth credentials; one step along the way requires extracting a key from a callback url that the server directs the browser to. So what I currently have the user do is:
Open an authorization link in a browser, which prompts them to authorize the OAuth application on the website
Click through the authorization page on the website (“Yes, I allow xxxxx app to access certain info associated with my account”)
Clicking Authorize app makes a request to the localhost which includes a parameter in the url. Meaning that tumblr will redirect the browser to the page http://localhost/?oauth_token={TOKEN}&oauth_verifier={VERIFIER}#_=_. I assume that causes a request to be made to the local machine when it does that.
The user is expected to isolate the key parameter in the url from the browser’s navigation bar, and paste it in the application.
So is there any way I can bypass steps 3 and 4 and simply have the app pick up the callback request instead of expecting the user to copy and paste it from the browser? I’m afraid I don’t know much about how to handle network requests in python.
To be clear, what I need to do is get the {VERIFIER} string.
okay first thing first, for http requests, a good python module is requests
http://docs.python-requests.org/en/master/
Then, your app gives a callback address to tumblr so that tumblr can tell to your app client info, or login error.
Now, your point 3 isn't clear.
"Clicking authorize app makes a request to localhost"
Actually clicking "authorize app" for the user makes a request to tumblr saying he accepts.
Then tumblr makes a request to your callback url passing the infos.
The callback url should probably be your server address, there you must have a script listening for tumblr, which will give you your special parameter to call their api...
In addition :
So when the users click "authorize app" there is a request to tumblr, which redirects the user to the callback url (adding oauth token and verifier).
Now, obviously, you can't ask for every user to have an http server running on their computer.
So you must set the callback url to your server.
So if you set it to "myserver.com/tumblr" for instance, the user will get redirected to your webpage, and you'll get on your server, and for that user session, the oauths token and verifier.
and...
Assuming your app is client only I'd say there are two options.
Either have your users enter manually their API keys.
Or either embed a webserver into your app.
In the case of the embedded webserver, I'd suggest flask for its simplicity.
Simply have your webserver listen on a given port and set the callback url to that server:port.
This way you'll get the client tokens directly.
I'm using the following library for Salesforce OAuth Request: https://github.com/heroku/salesforce-oauth-request
I've created a Connected App, but have no idea what to set the redirect uri. Can I just set it to "https://www.google.com/"?
I just want to connect to Salesforce's Chatter API via python code, and don't care where the user gets directed as long as I get a refresh token from the oauth2 protocol
Apologies for the basic question. I am a user of django-social-auth but can't get python-social-auth off the ground.
I have downloaded the example app, successfully sync'ed the db, and added my working facebook, linkedin and twitter app keys to settings. When I run the app I get the sample homepage with all the social media links.
When click facebook OAuth2 I get an http error: 400 Client Error: Bad Request. Implying that url callback into my server to (/complete/facebook/) is badly formed.
When I click LinkedIn or Twitter I get http error: 401 Client Error: Unauthorized.
Have I missed a bit of the config? Has anyone got the example app working out of the box?
Thanks - Guy.
Did you set your secret and key for LinkedIn and Twitter in your settings.py?
Once that is done you may have to set the redirect urls with those providers.
I tested with google and had to fix my Google API Access settings.
I changed redirect urls to http://localhost:8000/complete/google-oauth2/
UPDATE:
I am having issues with LinkedIn on oauth1 & 2. There doesnt appear to be a way to get the required API key into the request. I have attempted to hard code in the oauth1_auth.py of requests_oauthlib but with no success yet.
UPDATE 2:
Twitter worked for me by making sure my twitter developer application settings had "Allow this application to Sign in with Twitter" checked and my consumer key and secret set in my settings.py like so:
# TWITTER
#
SOCIAL_AUTH_TWITTER_KEY = '<...>'
SOCIAL_AUTH_TWITTER_SECRET = '<.....>'