I'm currently integrating SSO using Azure AD for a Django Project. I'm currently using the package: https://github.com/leibowitz/django-azure-ad-auth . I have followed the docs to setup the Azure AD Authentication . On entering the application url, it takes me to the microsoft login page and after entering the credentials it's redirected to the application. But on redirection to the application after the Azure Auth, the code checks in the session for 'nonce' & 'state' variables , which are strangely returned as None and hence the application redirects to the failure url.
#never_cache
def auth(request):
backend = AzureActiveDirectoryBackend()
redirect_uri = request.build_absolute_uri(reverse(complete))
nonce = str(uuid.uuid4())
request.session['nonce'] = nonce
state = str(uuid.uuid4())
request.session['state'] = state
login_url = backend.login_url(
redirect_uri=redirect_uri,
nonce=nonce,
state=state
)
return HttpResponseRedirect(login_url)
#never_cache
#csrf_exempt
def complete(request):
backend = AzureActiveDirectoryBackend()
method = 'GET' if backend.RESPONSE_MODE == 'fragment' else 'POST'
original_state = request.session.get('state')
state = getattr(request, method).get('state')
if original_state == state:
token = getattr(request, method).get('id_token')
nonce = request.session.get('nonce')
user = backend.authenticate(token=token, nonce=nonce)
if user is not None:
login(request, user)
return HttpResponseRedirect(get_login_success_url(request))
return HttpResponseRedirect('failure')
This is the code used for authentication.
Settings.py sample is given below:
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'azure_ad_auth.backends.AzureActiveDirectoryBackend',
)
LOGIN_REDIRECT_URL = '/login_successful/'
AAD_TENANT_ID = 'd472b4f4-95c5-4eb3-8a9a-3615c837eada'
AAD_CLIENT_ID = '75e38b53-8174-4dc6-a8f6-bb7a913f1565'
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
SESSION_SAVE_EVERY_REQUEST = True
SESSION_COOKIE_AGE = 86400 # sec
SESSION_COOKIE_DOMAIN = None
SESSION_COOKIE_NAME = 'DSESSIONID'
SESSION_COOKIE_SECURE = True
Traceback
TypeError at /TypeError at /project/azure/complete/
must be str, not NoneType
Request Method: POST
Request URL: http://testdomain.com/project/azure/complete/
Django Version: 2.2.4
Exception Type: TypeError
Exception Value:
must be str, not NoneType
Exception Location: /home/project/azure_auth/views.py in complete, line 57
Python Executable: /home/project/app/venv/bin/python3
Python Version: 3.6.8
Python Path:
['/home/project/app/project',
'/home/project/app/venv/bin',
'/home/project/app/venv/lib64/python36.zip',
'/home/project/app/venv/lib64/python3.6',
'/home/project/app/venv/lib64/python3.6/lib-dynload',
'/usr/lib64/python3.6',
'/usr/lib/python3.6',
'/home/project/app/venv/lib/python3.6/site-packages']
Server time: Tue, 19 Nov 2019 05:21:10 +0000/azure/complete/
must be str, not NoneType
Request Method: POST
Request URL: http://testdomain.com/project/azure/complete/
Django Version: 2.2.4
Exception Type: TypeError
Exception Value:
must be str, not NoneType
Exception Location: /home/project/app/project/azure_auth/views.py in complete, line 57
Python Executable: /home/project/app/venv/bin/python3
Python Version: 3.6.8
Python Path:
['/home/project/app/project',
'/home/project/app/venv/bin',
'/home/project/app/venv/lib64/python36.zip',
'/home/project/app/venv/lib64/python3.6',
'/home/project/app/venv/lib64/python3.6/lib-dynload',
'/usr/lib64/python3.6',
'/usr/lib/python3.6',
'/home/project/app/venv/lib/python3.6/site-packages']
Server time: Tue, 19 Nov 2019 05:21:10 +0000
/home/project/app/project/azure_auth/views.py in complete
f.write("nonce -->"+nonce+"\n") …
▼ Local vars
Variable Value
backend
<azure_auth.backends.AzureActiveDirectoryBackend object at 0x7f5c688dce80>
data
['82aff4f9-2cc0-4521-aea7-ad3281d20774\n',
'ba821364-86c9-4233-881f-bdc772f7c488\n']
f
<_io.TextIOWrapper name='t1.txt' mode='w' encoding='UTF-8'>
method
'POST'
n
'82aff4f9-2cc0-4521-aea7-ad3281d20774'
nonce
None
original_state
None
request
<WSGIRequest: POST '/project/azure/complete/'>
state
'fd93da6a-9009-4363-9640-9364df7f64df'
token
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkJCOENlRlZxeWFHckdOdWVoSklpTDRkZmp6dyIsImtpZCI6IkJCOENlRlZxeWFHckdOdWVoSklpTDRkZmp6dyJ9.eyJhdWQiOiI0MDMyODJjZi1kYjlmLTQ1OTYtOWM1My0wMmI1MTA2ZDA0MDIiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mYmM0OTNhOC0wZDI0LTQ0NTQtYTgxNS1mNGNhNThlOGMwOWQvIiwiaWF0IjoxNTc0MTQwNTY5LCJuYmYiOjE1NzQxNDA1NjksImV4cCI6MTU3NDE0NDQ2OSwiYWlvIjoiNDJWZ1lCQSt4TFhqNEdVTjRRWEJiU3ZOZmF4NXBHY2NPenFoNzFuNDlXMmxnYTYzMjIwQiIsImFtciI6WyJwd2QiXSwiZmFtaWx5X25hbWUiOiJFIEsgUyIsImdpdmVuX25hbWUiOiJTdXNyZWV0aGEiLCJpbl9jb3JwIjoidHJ1ZSIsImlwYWRkciI6IjE4Mi43NS4xNjcuMTg4IiwibmFtZSI6IkUgSyBTLFN1c3JlZXRoYSIsIm5vbmNlIjoiODgyNTg4ZjgtMGM3MC00Y2JlLTk4MTktY2JkNjUyZmI0MDQ5Iiwib2lkIjoiNTU0ZjYzZWEtOTg4Yi00MmMwLTk4NjUtMTIxMDNkZTdhZTBmIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTYwMzE5MzI1LTExNjA5ODI5NTEtMTYwMTc3MzkwNy02NTg1OTMiLCJzdWIiOiI2aERUa1hYYkN3Wm5rcHEwSU9wRTRVWk56RHZlRFhvVjM3RGV5U3dkaDZRIiwidGlkIjoiZmJjNDkzYTgtMGQyNC00NDU0LWE4MTUtZjRjYTU4ZThjMDlkIiwidW5pcXVlX25hbWUiOiJTRTA3NTA0OEBjZXJuZXIubmV0IiwidXBuIjoiU0UwNzUwNDhAY2VybmVyLm5ldCIsInV0aSI6IkZTQmhnVDg4UTAyUHNfU293ZDdtQUEiLCJ2ZXIiOiIxLjAifQ.Rvc6xcPRZ01iebYtEyAWeyDnQEUVtqV1L1mapr658jLog-_yIASyEm3kMrkt6dIWWEO3dJSe3k05xOJlbnHqcjaR5LKAwOZzGR_oBmyIyB8-IvuEankNVpwYtcz8mY7kFr6AqQmIsx7xLLgv4grp-bSy4eRqjk36VeLX_LwMBuM_U6V70w0gXN1vvFCj0tjsv-VtTAmNgvdxS0ltzdD3rzZ87DoXbPWmoozLtO9WBRsJvMuvn-frBtYUYkIhs3I-eVAO9ZG2IWEuLQx6k7RBmzX6HgFi9SVpyEhNru7fmwO-qj5uRj9FQa45lCZluUV25o_AV1NQ94d5lnFyeMh7uw'
user
None
I got the above error while trying to write the session variables to file (for debugging.)
I know this question is a bit old, but the session won't be able to be retrieved (and with it the original state and nonce), and will fail the comparison if the cookie is not being sent by the browser.
The cookie is not sent by default in django 2.1+, since the default settings add SameSite=Lax
The cookies used for django.contrib.sessions, django.contrib.messages,
and Django’s CSRF protection now set the SameSite flag to Lax by
default. Browsers that respect this flag won’t send these cookies on
cross-origin requests. If you rely on the old behavior, set the
SESSION_COOKIE_SAMESITE and/or CSRF_COOKIE_SAMESITE setting to None.
https://docs.djangoproject.com/en/3.0/releases/2.1/#samesite-cookies
In theory this should still send the cookie (from what I understand), but for some reason chrome doesn't seem to. There's something I clearly do not understand, so if anyone knows better please comment.
Anyway, changing the setting via SESSION_COOKIE_SAMESITE = None should work.
Related
I have a Django REST Framework API backend for my Vue app. I'm trying to use Django sessions for anonymous users but either Django isn't sending or Axios can't read the session cookie.
A new session is being created by checking Session.objects.all().count()
I'm trying to store cart data using JWTAuthentication for authenticated users and SessionAuthentication for anonymous users.
# settings.py
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
'localhost:8080',
'127.0.0.1:8080',
)
SESSION_COOKIE_HTTPONLY = False
I've tried toggling SESSION_COOKIE_HTTPONLY in settings.py but still not able to see the cookie.
When intercepting the response the CSRF cookie is sent but the session cookie isn't included.
import axios from 'axios'
import Cookie from 'js-cookie'
axios.defaults.xsrfCookieName = 'csrftoken'
axios.defaults.xsrfHeaderName = 'X-CSRFToken'
axios.defaults.withCredentials = true
axios.interceptors.response.use(response => {
const sessionCookie = Cookie.get()
console.log('Cookie', sessionCookie)
return response
})
In my DRF API tests I can see that the session cookie is in the response.
Set-Cookie: sessionid=zgndujlppk4rnn6gymgg1czhv1u0rqfc; expires=Thu, 11 Apr 2019 11:27:32 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax
class Test(APITestCase):
def test_get(self):
response = self.client.get('/store/1/')
print(response.cookies['sessionid']
The issue was I was visiting the site at the URL localhost:8080 but the cookie was being saved under 127.0.0.1.
Changing the URL to 127.0.0.1:8080 solved the problem.
I'm a beginner in both angular JS and django. I was following this particular tutorial in making a facebook authentication app.
http://cbdev.blogspot.in/2014/02/facebook-login-with-angularjs-django.html
I've followed the tutorial exactly. And when I start the server I get the error.
NameError at /
name 'strategy' is not defined
Request Method: GET
Request URL: http://127.0.0.1:8000/
Django Version: 1.3.1
Exception Type: NameError
Exception Value:
name 'strategy' is not defined
Exception Location: /root/Documents/django/clueless/clueless_engine/../clueless_engine/views.py in <module>, line 1
Python Executable: /root/Documents/django/clueless/bin/python
Python Version: 2.7.13
Python Path:
['/root/Documents/django/clueless/clueless_engine',
'/root/Documents/django/clueless/lib/python2.7',
'/root/Documents/django/clueless/lib/python2.7/plat-x86_64-linux-gnu',
'/root/Documents/django/clueless/lib/python2.7/lib-tk',
'/root/Documents/django/clueless/lib/python2.7/lib-old',
'/root/Documents/django/clueless/lib/python2.7/lib-dynload',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/root/Documents/django/clueless/local/lib/python2.7/site-packages',
'/root/Documents/django/clueless/lib/python2.7/site-packages']
Server time: Thu, 1 Jun 2017 07:30:14 +0530
my views.py file is
#strategy()
def auth_by_token(request, backend):
backend = request.strategy.backend
user=request.user
user = backend.do_auth(
access_token=request.DATA.get('access_token'),
user=user.is_authenticated() and user or None
)
if user and user.is_active:
return user# Return anything that makes sense here
else:
return None
#csrf_exempt
#api_view(['POST'])
#permission_classes((permissions.AllowAny,))
def social_register(request):
auth_token = request.DATA.get('access_token', None)
backend = request.DATA.get('backend', None)
if auth_token and backend:
try:
user = auth_by_token(request, backend)
except Exception, err:
return Response(str(err), status=400)
if user:
strategy = load_strategy(request=request, backend=backend)
_do_login(strategy, user)
return Response( "User logged in", status=status.HTTP_200_OK )
else:
return Response("Bad Credentials", status=403)
else:
return Response("Bad request", status=400)
I have created Social Auth authentication using python scocial auth. you can check:
https://github.com/ranvijay-sachan/django-rest-login-and-social_auth/tree/master/profiles
POST: http://localhost:8000/api/v1/login/2/
Content-Type : application/json
{ "accessToken": "alert token" }
The problem was that I forgot to import modules.
from social.apps.django_app.utils import load_strategy strategy = load_strategy(request)
I'm having an issue where I can log in successfully but any subsequent requests show as
"detail":"CSRF Failed: CSRF token missing or incorrect."
I have no clue what I'm doing wrong, I've looked over Requests docs, DRF docs, turned off authentication to validate the url and searched old SO posts on the subject.
Here is a basic function with attached basic info
def will_fail():
CURRENT_URL = 'http://127.0.0.1:8000/{}'
session = requests.Session()
response = session.get(CURRENT_URL.format('api-auth/login/'))
csrftoken = response.cookies['csrftoken']
first_response = session.post(CURRENT_URL.format('api-auth/login/'),
data={'username': 'itsme', 'password': 'password'},
headers={'X-CSRFToken': csrftoken})
response = session.post(CURRENT_URL.format('api-v1/languages/'),
params={'name': "French", "audio_base": "adpifajsdpfijsdp"},
headers={'X-CSRFToken': csrftoken})
first_response (login):
URL - 'http://127.0.0.1:8000/api-v1/'
Text - {"languages":"http://127.0.0.1:8000/api-v1/languages/","phrases":"http://127.0.0.1:8000/api-v1/phrases/","stats":"http://127.0.0.1:8000/api-v1/stats/"}
Status - <Response [200]>
response (add language):
URL - 'http://127.0.0.1:8000/api-v1/languages/?audio_base=adpifajsdpfijsdp&name=French'
Text - {"detail":"CSRF Failed: CSRF token missing or incorrect."}
Status - <Response [403]>
The settings are very basic since I'd just started on this:
THIRD_PARTY_APP = [
'rest_framework.authtoken',
'rest_framework',
]
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
)
}
Here is the URL info which is also pretty generic
from training.views import LanguageViewSet, PhraseViewSet, PhraseStatsViewSet
router = DefaultRouter()
router.register(r'languages', LanguageViewSet)
router.register(r'phrases', PhraseViewSet)
router.register(r'stats', PhraseStatsViewSet)
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
url(r'^api-v1/', include(router.urls, namespace='api'))
]
I'm using ModelSerializers and ModelViewSets, I didn't override any methods and included all fields.
EDIT:
I had already tried updating the token as well but it gave me a KeyError -
Traceback (most recent call last):
File "C:/Users/Me/PycharmProjects/proj/post_data.py", line 70, in <module>
will_fail()
File "C:/Users/Me/PycharmProjects/proj/post_data.py", line 62, in will_fail
csrftoken = first_response.cookies['csrftoken']
File "C:\Users\Me\Envs\proj\lib\site-packages\requests\cookies.py", line 329, in __getitem__
return self._find_no_duplicates(name)
File "C:\Users\Me\Envs\proj\lib\site-packages\requests\cookies.py", line 400, in _find_no_duplicates
raise KeyError('name=%r, domain=%r, path=%r' % (name, domain, path))
KeyError: "name='csrftoken', domain=None, path=None"
The problem is that your first request logs the user in. Django rotates the token when you log in:
Why might a user encounter a CSRF validation failure after logging in?
For security reasons, CSRF tokens are rotated each time a user logs in. Any page with a form generated before a login will have an old, invalid CSRF token and need to be reloaded. This might happen if a user uses the back button after a login or if they log in in a different browser tab.
The token that you use in the next requests is the token that was used before it was rotated. You need to get the new token from the cookie after the login request.
On top of that, requests transparently follows redirects, and return the last response. Since the second response (probably) doesn't use the token, it isn't set as a cookie. You can use allow_redirects=False to get the first request, and then get the new token from that request. Alternatively you can sent a new GET request for a page that uses the token in the response body, then the token will also be sent as a cookie.
...
first_response = session.post(CURRENT_URL.format('api-auth/login/'),
data={'username': 'itsme', 'password': 'password'},
headers={'X-CSRFToken': csrftoken},
allow_redirects=False)
# Get the new token
newcsrftoken = first_response.cookies['csrftoken']
response = session.post(CURRENT_URL.format('api-v1/languages/'),
params={'name': "French", "audio_base": "adpifajsdpfijsdp"},
headers={'X-CSRFToken': newcsrftoken})
You're likely not using sessions with Requests which would keep the initial response cookies for the next requests.
DRF tells you more about how CSRF works with DRF at http://www.django-rest-framework.org/topics/ajax-csrf-cors/#csrf-protection
I'm testing my django (1.6.5) app in localhost. I use django-allauth and without ssl everything was ok.
I installed django-sslserver and change as follows:
Settings.py
ACCOUNT_DEFAULT_HTTP_PROTOCOL = 'https' # allauth
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
os.environ['HTTPS'] = "on"
Api Google Console
REDIRECT URIS : http://localhost:8000/accounts/google/login/callback/
https://localhost:8000/accounts/google/login/callback/
When I logged in with my google account, I accepted the authorization, but when it's redirected back to my app, shows the error:
DoesNotExist at /accounts/google/login/callback/
User matching query does not exist.
Request URL: https://localhost:8000/accounts/google/login/callback/?state=PwKj3DsvzmNp&code=4/16ttwvGn7SIZKyHWZ9sSy8YOx7sg.4t9M4AcGcoEfoiIBeO6P2m9E6KmpkAI
allauth/socialaccount/helpers.py in _login_social_account
def _login_social_account(request, sociallogin):
**return perform_login(request, sociallogin.account.user, ...**
email_verification=app_settings.EMAIL_VERIFICATION,
redirect_url=sociallogin.get_redirect_url(request),
signal_kwargs={"sociallogin": sociallogin})
The error is in the return line.
Can you help me? Thanks! :)
I have used django package social_auth to implement facebook login on my website. I am able to log in correctly and get all the data. But I am not able to logout.
I am not using django.user.login and logout. I am using socialauth_begin and socialauth_disconnect
I am able to login, go in the social auth pipeline, get the necessary information, but I am not able to logout. What is the fix to this problem?
When I click on "Logout" in Logout
I get the following error
NotAllowedToDisconnect at /tomonotomo/auth/disconnect/facebook/
No exception supplied
Request Method: GET
Request URL: http://localhost:8000/tomonotomo/auth/disconnect/facebook/
Django Version: 1.5.1
Exception Type: NotAllowedToDisconnect
Exception Location: /tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/local/lib/python2.7/site-packages/social_auth/backends/__init__.py in disconnect, line 435
Python Executable: /tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/bin/python2.7
Python Version: 2.7.3
Python Path:
['/tmp/guest-onyOH9/pratik/tomonotomo_project',
'/tmp/guest-onyOH9/Desktop/pycharm-2.7.3/helpers/pydev',
'/tmp/guest-onyOH9/pratik/tomonotomo_project',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/lib/python2.7',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/lib/python2.7/plat-linux2',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/lib/python2.7/lib-tk',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/lib/python2.7/lib-old',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/lib/python2.7/lib-dynload',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-linux2',
'/usr/lib/python2.7/lib-tk',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/local/lib/python2.7/site-packages',
'/tmp/guest-onyOH9/pratik/virtualenv-1.10/tomonotomo/lib/python2.7/site-packages']
Server time: Sat, 10 Aug 2013 22:27:42 -0500
The settings I have is this:
AUTHENTICATION_BACKENDS = (
'social_auth.backends.facebook.FacebookBackend',
'django.contrib.auth.backends.ModelBackend',
)
FACEBOOK_EXTENDED_PERMISSIONS= ['email', 'user_birthday']
SOCIAL_AUTH_PIPELINE = (
'social_auth.backends.pipeline.social.social_auth_user',
'social_auth.backends.pipeline.associate.associate_by_email',
'social_auth.backends.pipeline.user.get_username',
'social_auth.backends.pipeline.user.create_user',
'tomonotomo.social_auth_pipeline.create_custom_user',
'social_auth.backends.pipeline.social.associate_user',
'social_auth.backends.pipeline.user.update_user_details',
)
SOCIAL_AUTH_CREATE_USERS = True
SOCIAL_AUTH_FORCE_RANDOM_USERNAME = False
SOCIAL_AUTH_DEFAULT_USERNAME = 'socialauth_user'
SOCIAL_AUTH_ENABLED_BACKENDS = ('facebook',)
SOCIAL_AUTH_COMPLETE_URL_NAME = 'socialauth_complete'
SOCIAL_AUTH_ASSOCIATE_URL_NAME = 'socialauth_associate_complete'
SOCIAL_AUTH_ASSOCIATE_BY_EMAIL = True
SOCIAL_AUTH_ERROR_KEY = 'socialauth_error'
SOCIAL_AUTH_REDIRECT_IS_HTTPS = False
LOGIN_URL = '/tomonotomo/login/'
LOGIN_REDIRECT_URL = '/tomonotomo/'
LOGIN_ERROR_URL = '/tomonotomo/login-error/'
Please Help. Thanks
The code I used to Login was:
<h3 style="color:white">Connect via Facebook</h3>
I just have the same problem but with twitter.
This error is generated because the user has not another way to connect/disconnect from the system, and the API in some way think it would be dangerous.
How I resolve the problem was calling a custom logout form like in the example:
https://github.com/omab/django-social-auth/blob/master/example/app/views.py#L39