Closed sverchdotgov closed 6 years ago
@sverchdotgov This should work. The testclient uses basicly the same setup you have here in Flask. there could be issues with the server.,,,,investigating. In the meantime, do you have better luck with this?
Thanks @aviars! I tried that out and it did work.
Looking at the URL that it sends me to for in the sandbox, I see that the django version that does work includes "redirect_uri", but my example does not. Taking out "redirect_uri" does in fact cause an "auth forbidden" error.
Hmm, although I explicitly added the redirect_uri and still get the access denied error.
So I was wondering why github worked without the redirect_uri, and found https://tools.ietf.org/html/rfc6749#section-3.1.2.3:
If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.
@whytheplatypus ran this locally and figured out that you need to pass redirect_uri in every instantiation of the oauth session object. I tried that and it works now! Thanks @whytheplatypus!
Talked with @whytheplatypus in hipchat about the requirement of redirect_uri. Here's the summary:
Registering the redirect URIs at application registration time is what provides the security benefit, since that means attackers can't just redirect clients to random places. So requiring the redirect_uri when there's only one registered doesn't provide extra security because we can redirect to the known good place.
However, requiring it all the time does have the major downside that the python requests oauth client defaults to not sending it, which may make new users think the API is just completely broken (when the real thing is that it is not matching the spec in this specific case). That seems like it makes it a bigger deal to remove this requirement. @samgensburg-gov Thoughts? Should I file an issue somewhere?
We fixed the redirect_uri requirement a while back, so we should be good.
This may be a problem with my configuration/client, but I've tried to rule that out as best I can.
This is all using the developer portal to authorize.
I'm using the example here: http://requests-oauthlib.readthedocs.io/en/latest/examples/real_world_example.html#real-example. I copied that directly and it worked with github, but when I try to use that same code with the blue button developer sandbox I get this error:
I also intermittently get this:
I tried to change my client_id and client_secret to something obviously broken, and that caused a different error, so I think those are correct.
Here's the code: