I am implementing a Oauth for different services and I am using "OAuth2ConsumerBlueprint" (using flask-dance).
I was thinking about Flask-OAuth but I think I would end up with the same issues I am facing with Flask-Dance.
What I am planning to do is:
User go on ".mydomain.com"
User click on Login via FB for example
User goes on social.mydomain.com (so that the authorized URL is always the same)
User after login should be brought to ".mydomain.com"
it looks like I cannot find a way to do it.. It should be feasible. I tried to parse out different information eg.:
print(request)
print(request.referrer)
I even used: #oauth_authorized.connect
Printed all the information to see if I could collect some additional information to reuse
print(vars(request))
print(vars(blueprint))
print(vars(token))
print(session)
Also I tried to add in the GET parameters a "foo" variable to see if I could read it back again from the social.mydomain.com but I couldn't. No idea on how to redirect the user back to the original .mydomain.com
Any suggestions here on how can I have the authentication done on a specific subdomain (so I only need to whitelist one subdomain) and then redirect the user to his own domain?
That is how I setup everything:
facebook = OAuth2ConsumerBlueprint(
"fb_social", __name__, url_prefix='/fb',
client_id=FB_CLIENT_ID,
client_secret=FB_SECRET,
scope='email',
base_url="https://graph.facebook.com/",
token_url="https://graph.facebook.com/oauth/access_token",
authorization_url="https://www.facebook.com/dialog/oauth",
redirect_to='fb_social.social_facebook',
)
Thanks a lot
Hook into the oauth_authorized signal, and return a redirect to the location where you want the user to go.
Related
I'm setting up a private wiki under a subdomain of a domain my company uses for wikis on AWS. I just purchased the MediaWiki instance from the AWS marketplace and have been working to just get the wiki up and running including setting up the admin account passwords, installing a Let's Encrypt cert for HTTPS, and disabling access to anonymous users. I was testing to verify that this works when I ran into an issue: upon successful login, a blank "Log in" page is shown instead of redirecting to the original destination.
So first I go to https://private.example.com/index.php/Main_Page and get a "Login required" page with a link to log in. This is expected.
When I click on the link, I get sent to https://private.example.com/index.php?title=Special:UserLogin&returnto=Main+Page&returntoquery= with the title "Log in" and the log in form, which looks good so far.
However when I enter in the admin username and password and submit, I expect to be redirected back to https://private.example.com/index.php/Main_Page with the content visible, but instead I get redirected to https://private.example.com/index.php?title=Special:UserLogin&returnto=Main+Page with the title "Log in" and no body. I've tried this on a different browser to see if it is some sort of caching issue, but I get the same results there too.
Since I've done almost nothing, I don't know what I could have done to cause this. Is there a configuration that I either failed to setup correctly or perhaps corrupted that might cause this? Could it be related to the wiki having a subdomain URL?
This may be caused by the $wgServer variable in LocalSettings.php (likely located at /var/www/mediawiki/LocalSettings.php) not being set (or set properly). I.e. the redirect won't work if it's empty, e.g.:
$wgServer = "";
So in your case it would need to be set like this:
$wgServer = "https://private.example.com";
I.e. the scheme and domain of your site.
I am building a frontend client for Jira and am running into some conflicting authentication methods I think.
I have setup the OAuth2 authentication method for logging in and hitting the Jira API. I have a button on a login page that redirects to Jira, you log in, hit "allow" and are redirected to my app. This step completes fine, I have a token and a secret and can make api calls just fine.
Next, I make an api call to get the user data, which returns fine. One of the pieces of data is a set of avatar urls. I put one of the urls into my site's markup. Here is where the problem begins.
If my browser session that I used to login is still active, I get an avatar. BUT if not, I get an "anonymous" avatar from Jira.
All the while, my OAuth token/api calls all seem to return fine.
This makes sense as Jira is using cookie based auth and I am not. So if that cookie dies in my browser, the call to the image will fail.
My ultimate question is how to handle this? Is this my responsibility to put an expiration on the token? What happens if they select "Stay logged in"? I don't think I get that knowledge on the OAuth side.
I kind of feel like I am missing something but I cannot figure out what. This seems like a problem that has been fixed or isn't even really a problem.
One solution would be just to switch to a cookie based authentication but OAuth seems more secure.
I've also tried directly hitting it from my server but that also yields an anon avatar. As does a curl with the access token. Maybe I didn't provide it in the correct way?
Any thoughts or ideas on this would be greatly appreciated. Thanks in advance.
I am using django all-auth for authenticating users via social networks so, when I'm trying to login via facebook/google/twitter through url:
http://127.0.0.1:8000/accounts/socialnetwork/login
( here socialaccount is facebook/google/twitter), I'm able to login successfully and then getting redirected to:
http://127.0.0.1:8000/accounts/profile/
but when I'm going to url:
http://127.0.0.1:8000/accounts/socialnetwork/login/callback/
I'm getting this error "an error occured while logging via social network" but could see "signout" and "change email" options if I'm already logged in.
Also,when I'm going to
http://127.0.0.1:8000/accounts/social/connections/
sometimes I can see only google and twitter accounts, sometimes only facebook accounts but not both depending upon my site_id in settings.py.
Now I'm really confused whether this is an issue with my callback urls or my site domains or something else.
You mention that visitting http://127.0.0.1:8000/accounts/socialnetwork/login/ (where I assume socialnetwork is one of google/twitter/facebook) works fine. Congratulations! -- because these are the proper entry points for logging in with a third party provider.
You should not be visitting the callback url directly yourself. It is meant to be redirected to by the third party provider. In doing so, it passes along authentication related codes that can be used to login. If you visit the url directly these codes are not passed, hence, the system will complain with "an error has occurred"...
As for the issue with respect to the social connections url: what you see here is all third party accounts connected to the local user account. So, if it varies from time to time I can only assume you are logging in under different accounts - which implies different connected third party accounts.
There is a fair amount of confusion for me around what values go where, there is an APP_ID from Twitter that seems to be useless unless you are filing a support request but somehow from the docs I got the idea that that was the value I needed to put into the CLIENT_ID, but NO, you need to put in the API_KEY there.... The lack of good logging/display of the errors by the template (because of a malformed exception text) makes it hard to figure out what is going on. Luckily I set a breakpoint and found the real error, changed the values around and voila, it was working....
Not sure who is at fault here, allauth or twitter, but it would help if everyone could get on the same page when it comes to naming things.
Wrapping my old-fashioned head around OAuth....
Aside from the request/response mechanics and the Authorize / Authenticate round trips (which I think I underdstand) I am struggling with mapping my MyUser object (whatever that may contain) to an OAuth token, if (actually when, not if) the user kills any cookies (encrypted or otherwise) I may have dropped on the browser.
I get MyUser info at the original Login (call it 'registration' for my site) but now MyUser comes back, all cookies are gone so he is just 'user'. Fair enough, user has to do an OAuth login again, but now I have no way of associating the new Token / Secret with MyUser data.
What am I missing?
--- edit Aug 2/2012 -----
Let me restate this (I am pretty sure I am being thick about this but guess thats what here is for):
As pointed out in Replies, each OAuth provider has their own mechanism. We can navigate those and get back an access Token for the user.
Lets say Hero registers on my site using Facebook. FB returns his FB UserID and Name along with the Access Token. We are clever enough to request and get his FB Email, and we ask him some other registration q's before letting him in. Then we save this in our datastore (linked to our own User record):
OurUserId : 1234
oAuthProviderName : Facebook
oAUthProviderUserId: xxxxx
oAuthProviderUserEmail: hero#mlb.com
oAuthProviderUserName: iBeHero
oAuthToken: entracingly-unique-string-of-goop
oAuthSecret: moredata
.... etc.
and set a cookie to identify him as our user# 1234.
Now Hero goes away, kills his cookies for some reason, and then comes back to us.
Now he decides to Log In with Twitter. I have no cookie so I don't know who he is, and we go through the process again.
To me he looks like a new user so once Twitter sends me a Token I start asking him Registration questions, clearly not right.
Turns out Twitter doesn't return an Email address so I can't match that, and even if they did (I think almost everyone else does) Hero likley has more than one Email.
It seems to me that the only tie I have between the two (or however many) logins is whatever cookies I set that have not been deleted.
Are we saying that the entire OAuth2.0 mechanism hangs on this? I can't belive that is right, but don't see another way, so I must be missing something , yes?
If you're using OAuth as a login mechanism as well, then make sure whichever provider you're talking to has some way of returning back a stable ID for a user. That ID is the key you'd use for looking up the user in your DB.
Different providers have different ways of doing this. For Google, details on how to do authentication with OAuth 2.0 are here. For Twitter, they use OAuth 1.0 and return the user ID when exchanging the code for an access token. Facebook has its own way of doing it as well.
I am using Twitter OAuth to login users. The login takes users to Twitter and upon successful OAuth returns them to a specified url. From this url I would like to redirect users back to the page they were on before logging in.
What is a good way to do this?
Two ways:
Craft your OAuth URL so it sends them back to the right page, or at least says next=url in the querystring. This is most reliable but can break (and does look ugly but who's copying and pasting OAuth URLs anyway?)
Store a session containing the last requested "real" page. I say "real" like that because I don't count any auth/registration pages as real. So every hit, check to see what URL they're on, if it's not auth-related, store it in session. When they hit your OAuth-auccess page, redirect them to the session value. You can do this in a context processor or some middleware. Requires cookies and logout will nuke it.
i am using redirect url in twitter auth url and its working for me ..