Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Problem using social auth in stateless webapp

See original GitHub issue

I have the same problem as here, meaning, the last step of Google OAuth2 authentication is not working. After some searching, I saw that the problem comes from the validation of state : the value in the request is checked against the value from the previous request that was saved in session. My problem, and I suppose it is the same one as @Emnalyeriar’s, is that my app is stateless, I don’t use session nor cookies so getting previous value of state is impossible, nor is it restful. djoser main target are stateless apps, not being able to use the OAuth2 protocol (which is the standard for most providers) make social auth unusable. Any use of session should therefore be removed. What do you think ?

Issue Analytics

State:
Created 4 years ago
Reactions:10
Comments:19 (1 by maintainers)

Top GitHub Comments

5reactions

Emnalyeriarcommented, Aug 30, 2019

If anyone’s interested I created my own social login views with requests_oauthlib:

class GoogleOAuth2(APIView):
    """
    Login with Google OAuth2
    """

    def get(self, request):
        client_id = settings.GOOGLE_OAUTH2_KEY
        scope = settings.GOOGLE_OAUTH2_SCOPE
        redirect_uri = request.query_params.get('redirect_uri')
        if redirect_uri not in settings.SOCIAL_AUTH_ALLOWED_REDIRECT_URIS:
            return response.Response(
                {
                    'error': 'Wrong Redirect URI'
                },
                status=status.HTTP_400_BAD_REQUEST,
            )
        google = OAuth2Session(client_id, scope=scope, redirect_uri=redirect_uri)
        authorization_url, state = google.authorization_url(
            settings.GOOGLE_AUTHORIZATION_BASE_URL,
            access_type='offline',
            prompt='select_account'
        )
        return response.Response({'authorization_url': authorization_url})

    def post(self, request):

        client_id = settings.GOOGLE_OAUTH2_KEY
        client_secret = settings.GOOGLE_OAUTH2_SECRET

        state = request.data.get('state')
        code = request.data.get('code')
        redirect_uri = request.data.get('redirect_uri')

        google = OAuth2Session(
            client_id,
            redirect_uri=redirect_uri,
            state=state
        )
        google.fetch_token(
            settings.GOOGLE_TOKEN_URL,
            client_secret=client_secret,
            code=code
        )

        user_info = google.get('https://www.googleapis.com/oauth2/v1/userinfo').json()
        user_email = user_info['email']
        try:
            user = User.objects.get(email=user_email)
        except User.DoesNotExist:
            # Decide if you want to create a new user
            user = User.objects.create_user()
        refresh_token = RefreshToken.for_user(user)
        return response.Response({
            'refresh': str(refresh_token),
            'access': str(refresh_token.access_token)
        })

I also have one for FB but its very similar

4reactions

joshm91commented, Aug 30, 2019

Damn, that’s a shame. I was hoping to switch from django-rest-auth to djoser for a complete restful local account and social solution. I’m currently trying to get django-rest-social-auth working for the social side of things but it sucks having to use multiple different libraries.