django-allauth gives 403 forbidden at callback

StackOverflow https://stackoverflow.com/questions/21738993

  •  10-10-2022
  •  | 
  •  

Question

I am creating a custom provider to get oauth2 tokens from another internal project, the process is almost fine, but I am getting 403 forbidden error when browser returns to my project with this url:

http://localhost:8001/account/connect/login/callback/?state=Nngd5Gu3JnB4&code=Rqqg91oEwQKDsvSyzZ8Az5fEeHGaEe#_=_

here is the views.py in my custom provider:

import requests
from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter, OAuth2LoginView, OAuth2CallbackView)
from .provider import ConnectProvider


class ConnectOAuth2Adapter(OAuth2Adapter):
    provider_id = ConnectProvider.id
    access_token_url = 'http://localhost:8000/o/token/'
    authorize_url = 'http://localhost:8000/o/authorize/'
    profile_url = 'http://localhost:8000/api/account/'

    def complete_login(self, request, app, token, **kwargs):
        _token = {'access_token':token.token}
        resp = requests.get(self.profile_url, params={'access_token': token.token, 'alt': 'json'})
        extra_data = resp.json()
        login = self.get_provider().sociallogin_from_response(request, extra_data)
        return login

oauth2_login = OAuth2LoginView.adapter_view(GoConnectOAuth2Adapter)
oauth2_callback = OAuth2CallbackView.adapter_view(GoConnectOAuth2Adapter)
Was it helpful?

Solution

After going through the allauth source code, I figured out the problem was due to session:

 @classmethod
  def stash_state(cls, request):  
      state = cls.state_from_request(request) 
      verifier = get_random_string()  
      request.session['socialaccount_state'] = (state, verifier)
      return verifier



@classmethod
  def verify_and_unstash_state(cls, request, verifier):
      if 'socialaccount_state' not in request.session:
          raise PermissionDenied()        
      state, verifier2 = request.session.pop('socialaccount_state')
      if verifier != verifier2:       
          raise PermissionDenied()        
      return state

Basically I have 2 websites one being the OAuth server(localhost:8000) and one being OAuth client(localhost:8001), initially the client sets the session in stash_state method, then browser redirects to the server, however since both using the same domain name, the server overrides the session and clears the session set by the client.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top