Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flask RemoteApp.authorize_access_token() includes state parameter in request #16

Closed
lyschoening opened this issue Jan 18, 2018 · 6 comments
Closed

Flask RemoteApp.authorize_access_token() includes state parameter in request #16

lyschoening opened this issue Jan 18, 2018 · 6 comments
Labels
invalid spec

Comments

@lyschoening
Copy link

When following the typical authorization flow, the access token is requested from the authorization redirect URI. The RemoteApp implementation for Flask copies all request arguments of this callback and attaches them to the request for the authorization token.

@app.route('/authorize')
def authorize():
    token = oauth.google.authorize_access_token()
    # ...

authlib/authlib/flask/client/oauth.py

Line 190 in e01aafd

params = request.args.to_dict(flat=True)

The request arguments to the callback include "state", which does not need to be submitted with the request for the access token. Due to this, the Google API will respond with an error: "Parameter not allowed for this message type: state".
@lepture
Copy link
Owner

lepture commented Jan 18, 2018

@lyschoening Did you try the Google connect on https://play.authlib.org/ ? Which works pretty well.

Besides, that state is recommended to be included in authorization request according to RFC:
https://tools.ietf.org/html/rfc6749#section-4.1.1

@lyschoening
Copy link
Author

lyschoening commented Jan 22, 2018
edited
Loading

@lepture Is https://play.authlib.org/ a Flask app/sending the state parameter?

I'm authorizing through https://accounts.google.com/o/oauth2/token, not https://www.googleapis.com/oauth2/v4/token, which could explain why the behavior is different.

Google's documentation does not mention a state parameter
https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code and from reading around it seems this is known non-standard behavior in Google's API.

@lyschoening
Copy link
Author

I should add that state isn't the only parameter being forwarded. Every parameter on the callback response is forwarded (authuser, session_state, prompt in this case).

@lepture
Copy link
Owner

lepture commented Jan 22, 2018

@lyschoening Is there any reason that you have to use https://accounts.google.com/o/oauth2/token instead of https://www.googleapis.com/oauth2/v4/token

I'm ok to change the default behavior of request.args.to_dict(flat=True). But state will always be included, I don't think https://accounts.google.com/o/oauth2/token has done OAuth 2 right.

@lyschoening
Copy link
Author

@lepture It's the URL in the configuration the Google Cloud console returns when you create an OAuth client for a web application.

lepture added a commit that referenced this issue Jan 23, 2018
@lepture
Fix authorize_access_token for OAuth 2.
98b1f2a 
ref: #16
@lepture
Copy link
Owner

lepture commented Jan 23, 2018

@lyschoening I've cleaned up params in authorize_access_token.

Here is the endpoints that I found for Google: https://accounts.google.com/.well-known/openid-configuration

@lepture lepture closed this as completed Jan 24, 2018
@lepture lepture added the spec label Jan 24, 2018
lepture added a commit that referenced this issue Feb 1, 2018
@lepture
Fix missing code value.
d5cd861 
This bug is introduced by #16
coopfeathy added a commit to coopfeathy/authlib-django that referenced this issue Dec 11, 2022
@coopfeathy
Fix authorize_access_token for OAuth 2.
1cb0d6b 
ref: lepture/authlib#16
coopfeathy added a commit to coopfeathy/authlib-django that referenced this issue Dec 11, 2022
@coopfeathy
Fix missing code value.
2349725 
This bug is introduced by lepture/authlib#16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lyschoening @lepture