CODEWITHSUNDEEP
djangodjango-allauth
James Lin
James Lin

Reputation: 26528

django-allauth gives 403 forbidden at callback

I am creating a custom provider to get oauth2 tokens from another internal project, the process is almost fine, but I am getting 403 forbidden error when browser returns to my project with this url:

http://localhost:8001/account/connect/login/callback/?state=Nngd5Gu3JnB4&code=Rqqg91oEwQKDsvSyzZ8Az5fEeHGaEe#_=_

here is the views.py in my custom provider:

import requests
from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter, OAuth2LoginView, OAuth2CallbackView)
from .provider import ConnectProvider


class ConnectOAuth2Adapter(OAuth2Adapter):
    provider_id = ConnectProvider.id
    access_token_url = 'http://localhost:8000/o/token/'
    authorize_url = 'http://localhost:8000/o/authorize/'
    profile_url = 'http://localhost:8000/api/account/'

    def complete_login(self, request, app, token, **kwargs):
        _token = {'access_token':token.token}
        resp = requests.get(self.profile_url, params={'access_token': token.token, 'alt': 'json'})
        extra_data = resp.json()
        login = self.get_provider().sociallogin_from_response(request, extra_data)
        return login

oauth2_login = OAuth2LoginView.adapter_view(GoConnectOAuth2Adapter)
oauth2_callback = OAuth2CallbackView.adapter_view(GoConnectOAuth2Adapter)

Upvotes: 4

Views: 1528

Answers (1)

James Lin
James Lin

Reputation: 26528

After going through the allauth source code, I figured out the problem was due to session:

 @classmethod
  def stash_state(cls, request):  
      state = cls.state_from_request(request) 
      verifier = get_random_string()  
      request.session['socialaccount_state'] = (state, verifier)
      return verifier



@classmethod
  def verify_and_unstash_state(cls, request, verifier):
      if 'socialaccount_state' not in request.session:
          raise PermissionDenied()        
      state, verifier2 = request.session.pop('socialaccount_state')
      if verifier != verifier2:       
          raise PermissionDenied()        
      return state

Basically I have 2 websites one being the OAuth server(localhost:8000) and one being OAuth client(localhost:8001), initially the client sets the session in stash_state method, then browser redirects to the server, however since both using the same domain name, the server overrides the session and clears the session set by the client.

Upvotes: 6

Related Questions