After going through the allauth source code, I figured out the problem was due to session:
@classmethod
def stash_state(cls, request):
state = cls.state_from_request(request)
verifier = get_random_string()
request.session['socialaccount_state'] = (state, verifier)
return verifier
@classmethod
def verify_and_unstash_state(cls, request, verifier):
if 'socialaccount_state' not in request.session:
raise PermissionDenied()
state, verifier2 = request.session.pop('socialaccount_state')
if verifier != verifier2:
raise PermissionDenied()
return state
Basically I have 2 websites one being the OAuth server(localhost:8000) and one being OAuth client(localhost:8001), initially the client sets the session in stash_state
method, then browser redirects to the server, however since both using the same domain name, the server overrides the session and clears the session set by the client.