Apologies for the basic question. I am a user of django-social-auth but can't get python-social-auth off the ground.
I have downloaded the example app, successfully sync'ed the db, and added my working facebook, linkedin and twitter app keys to settings. When I run the app I get the sample homepage with all the social media links.
When click facebook OAuth2 I get an http error: 400 Client Error: Bad Request. Implying that url callback into my server to (/complete/facebook/) is badly formed.
When I click LinkedIn or Twitter I get http error: 401 Client Error: Unauthorized.
Have I missed a bit of the config? Has anyone got the example app working out of the box?
Thanks - Guy.
Did you set your secret and key for LinkedIn and Twitter in your settings.py?
Once that is done you may have to set the redirect urls with those providers.
I tested with google and had to fix my Google API Access settings.
I changed redirect urls to http://localhost:8000/complete/google-oauth2/
UPDATE:
I am having issues with LinkedIn on oauth1 & 2. There doesnt appear to be a way to get the required API key into the request. I have attempted to hard code in the oauth1_auth.py of requests_oauthlib but with no success yet.
UPDATE 2:
Twitter worked for me by making sure my twitter developer application settings had "Allow this application to Sign in with Twitter" checked and my consumer key and secret set in my settings.py like so:
# TWITTER
#
SOCIAL_AUTH_TWITTER_KEY = '<...>'
SOCIAL_AUTH_TWITTER_SECRET = '<.....>'
Related
I am trying to get my google authentication working on a Django app that is requesting Gmail and Calendar data. I have set up the oAuth API in the Google developer console and linked it with my project, and I've triple-checked that my redirect URI perfectly matches that in the code (No errors with HTTP vs. HTTPS nor any inconsistencies with the slashes). I made sure that my key, secret key, ClientID, and Client Secret are all configured and identical in my Django app's admin page. I have followed many youtube tutorials and searched other questions on stack overflow but Authentication is still not working. I am getting an Error 400: redirect_uri_mismatch. Even though I have checked many times to confirm that they are the same.
From all the tutorials, I have learned that there are two main origins for this error:
Server sided (can be fixed in the cloud hosting developer console)
Client sided (can be fixed by altering the code)
Both of these errors have their own individualized messages saying what type of mismatch it is.
Mine, however, says this: You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy. \n\nIf you're the app developer, register the redirect URI in the Google Cloud Console.
Here is a photo of the error
[![Google Authentication error message][1]][1]
from django.shortcuts import render, redirect
from django.http import HttpRequest
from google_auth_oauthlib.flow import Flow
from google.auth.transport.requests import Request
from googleapiclient.discovery import build
from .models import CredentialsModel
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
import os
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1'
#Scopes are what we should be allowed to access
SCOPES = ['https://mail.google.com/', 'https://www.googleapis.com/auth/userinfo.email', 'https://www.googleapis.com/auth/userinfo.profile', 'openid']
"""
IF HAVING ISSUES WITH ANON USER:
Make sure you are on 127.0.0.1:8000, not localhost, both from the test-page and
the callback page. For some reason they are treated as different sessions and thus will have
issues maintaining a logged in user
"""
def oauth2callback(request):
activeUser = request.user
#URL is what we need to use for authentication
authorization_response = request.build_absolute_uri()
flow = Flow.from_client_secrets_file(
settings.GOOGLE_OAUTH2_CLIENT_SECRETS_JSON,
scopes=SCOPES,
#This is where we are redirected after authentication
redirect_uri='http://127.0.0.1:8000/google/oauth2callback')
#Now get proper token
flow.fetch_token(authorization_response = authorization_response)
#print(request.user)
#Now save in our database
#print(flow.credentials)
try :
my_credential = CredentialsModel.objects.get(pk = activeUser)
except ObjectDoesNotExist:
CredentialsModel.objects.create(id = activeUser, credential = flow.credentials)
else:
my_credential.credential = flow.credentials
my_credential.save()
return redirect(flow.redirect_uri) #activeUser.get_absolute_url())
[1]: https://i.stack.imgur.com/2HXGP.png
google's documentation is not clear on this part (probably a bug on google's end too):
go to your GCP console, under OAuth consent screen, when the Publishing status is In production, we can still put http://localhost:8080/oauth-authorized/google under the Authorized redirect URIs without triggering the red error message saying Invalid Redirect. However, it doesn't work unless the app is in Testing status.
so in order to test your app at http://127.0.0.1:8000, you need to bring your GCP app to Testing status
hey i was dealing with this problem in ASP.Net MVC,
i think the reason would be the same in php but anyways,
Make sure to copy that url in ur below img to Authorized redirect URIs in OAuth 2.0 Client IDs in Google cloud console.
Check if you are logged in to your google account.
I was using google chrome browser and turns out I was logged out of Gmail as the session expired and when I logged into Gmail and the issue was resolved
In my case, it working in development environment and not in production environment. Enabling API KEY for production resolved the issue.
Copy the url that comes with the error message you get and add it to the authorize redirect uris in your google cloud console
In my case I needed to change my redirect URI from
https://{{my-url}}/google/endpoint
To
https://www.{{my-url}}/google/endpoint
I am using azure for hosting web app and web api.
Environment configuration :
web api : Developed using django deployed/hosted on linux vm
Web app : Developed using Angular2 deployed/hosted on App service
For authentication I am using OAUTH2 protocol.
App registration details for OAUTH2
Under single tenant: "my-tenant-id-121"
Registered web api and provided access_as_user permissions
here suppose app_id/client_id : "my-api-id-123"
APP uri : 'api://my-api-id-123'
scope : 'api://my-api-id-123/access_as_user'
client secret is generated but not using it.
Registered web app and provided basic details, redirect uri etc
here suppose webapp app_id/client_id : "my-webapp-id-123"
Under app registration, provided api access permissions for above registered api using API permissions
Authentication :
client(web app): Using ng2-adal library
resource (web api) : using python "jwt" library for access token validation
I have done all the configuration, after authentication I am getting id_token for web app and access_token for postman client.
Token Validation:
I am validating access token at api side which I am receiving through Authorisation header.
I have followed all the references available, through jwt.verify() my token getting validated. Here I am also validating audience, for id_token it is aud: client_app_id and when using postman I am specifying scope, in that case aud :"api://my-api-id-123"
Here comes the main part:
While following all process I never used registered web api app_id i.e "my-webapp-id-123" anywhere.
Then how come client app getting authenticated also access token getting validated.
Also I tried to remove linking between web app and web api from azure app registration and tried to authenticate. In both cases I have received token and validated at api side.
My questions are -
why we need to register Web api at app registration on azure as it is not getting used?
In my current scenario which part I am missing, my concern is if I remove linking (on azure, at client app under api permissions) between "client_app" and "api_app", access_token /id_token retrieved at client app should not get validated at web api.
Thanks in advance.
I'm trying to implement OAuth2 server for a RESTfull API with a login option through social platforms (Github, Facebook, Instagram) using Python and Falcon web framework.
But I've struggled to understand how this thing should work.
My current understanding led me to the following scheme:
1.1. On the API side, I'm creating an endpoint /auth/login/github which basically will tell the mobile app to redirect the client to the Github.com authorization page - github.com/login/oauth/authorize
1.2. On the Github authorization page user will be presented with the following screen:
1.3. After pressing Authorize user will be taken to the page specified in the callback parameter (Github OAuth service configuration) with the newly granted temporary authorization code. In my case URL will look like: my.api.com/auth/callback/github?code=AUTH_CODE
2.1. After receiving a callback request, I'm parsing/extracting passed Authorization Code and query Github.com from the backend in order to redeem Authorization Code and get Access Token (sending POST request using my Client ID and Client Secret to github.com/login/oauth/access_token)
2.2. If everything was successful Github will reply to my POST request with the Access Token, which I can use to get user profile details (e.g. e-mail)
3.1. Now that I know that authorization through the Github was successful (because I got users' email) I can grant my own Access Token to that user, so he can query my API endpoints. I do this just by adding randomly generating OAuth2 Token and inserting it into my database, simultaneously returning same token to the user by redirecting him to the mobile app using deep links (e.g.: myapp://token).
3.2. Finally mobile app can query my API endpoints by adding the following header to each request Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42
Does that make sense and is this the correct way of doing the social authorization for RESTfull API's?
I'm using Falcon as the web framework for this project and Authlib as the OAuth2 library.
Its one way for sure. And it looks alright.
I'm going to make it simpler, and maybe its a bit clear whats happening.
1.1 [Mobile APP] redirects user to github.com/oauth/authorize?client_id=CLIENT_ID with the client id you registered with github
1.2 [Mobile APP] user comes via a redirect to fancy.app/callback/github?code=AUTH_CODE (this is the callback url you configure on github)
1.2.1 [Mobile APP] call your API endpoint with the AUTH_CODE
1.3 [API] confirm with github the AUTH_CODE is valid.
Up to this point we have user authentication; the user isn't a random guy, is user xxx on github.com and you have the information you requested.
Now, if you need to authorise this user on your API, after 1.3:
1.3.1 [API] generate a token
1.3.2 [API] store the token in some persistent storage
1.3.3 [API] define some expiration time for the token (actually the AUTH_CODE from github should have some expiration, use that)
1.3.4 [API] return the token to the mobile APP
This token we've generated is what the Mobile APP will use to authenticate the user on the API; no further calls to github (until expiration at least).
1.1. On the API side, I'm creating an endpoint /auth/login/github which basically will tell the mobile app to redirect the client to the Github.com authorization page - github.com/login/oauth/authorize
Instead of hard coding /auth/login/github, how about making it a query parameter on your API so that you can quickly integrate separate OAuth2 providers (Google, Facebook, etc.)
Your endpoint URL would now look like /auth/login/?provider=github and your backend can provide the correct redirect url for the mobile app to go to. This means you can simply add new buttons for Facebook /auth/login/?provider=facebook and it would be minimal work.
When you receive the callback request, the URL may then look something like my.api.com/auth/callback/?provider=github&code=AUTH_CODE. You may also want to insert a new user record to your own database (if you have one), so you can prompt for extra info if required, I would do this in Django for example, since I require extra info on top of the data that is provided by third-party OAuth2 providers.
Overall, the approach looks sound.
I had created a web application in Django,setup Google and Facebook O-auth(using python-social-auth) for login and hosted it on a domain - example.com.Many users had already registered on it using google sign in.However yesterday I setup ssl certificates for my website and upgraded to an https connection.Thereafter I went to the console.developers.google.com and changed the Authorized JavaScript origins to https://example.com and Authorized redirect URIs to https://example.com/soc/complete/google-oauth2/.Now oauth is working for new users however the old users are getting an error with error code 400(redirect_uri_mismatch) with the following message-
The redirect URI in the request,does not match the ones authorized for
the OAuth client.
I am guessing this is because the tokens created for the users had an http endpoint.How do I refresh those tokens to point to the new https url without creating any hassle for the existing users?
You can provide multiple URLs for redirect URl and origin, so simply make sure you've configured both http and https variants.
I started using django-social-auth which looks great, i want to setup a tiny twitter app and just need the twitter connect. I followed the guidelines and examples.
The twitter connect looks like it's working, i am redirected to twitter authentication but when returning back to my callbackUrl i get
always redirected to the LOGIN_URL_ERROR, i have no error messages. I tried adding django logging still no error is showed.
The messages module used in the example views gives me:
"Sorry but some error made you impossible to login. Please try again"
I am currently testing on localhost so maybe it's the problem, i have setup the twitter app with the url: local.dev:8000 and callbackUrl: local.dev:8000/filtered
with a mapping on /etc/hosts
settings.py
social_settings.py
views.py
urls.py
python2.7, django 1.3, django-social-auth github repo