Your credentials aren't allowed for Google OAuth Authentication

franzramadhan commented 2 years ago

Slack us first! I have raised this issue in the slack - https://owasp.slack.com/archives/C2P5BA8MN/p1661154750234779

Be informative I am trying to setup OAuth2 authentication using Google by following this wiki But I got AuthForbidden at /complete/google-oauth2/ error after clicking the Login with Google button. Following environment variables have been set inside the uwsgi container.

DD_SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=G<redacted>
DD_SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=72<redacted>-<redacted>.apps.googleusercontent.com
DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED=true

Bug description Traceback

Environment:

Request Method: GET
Request URL: https://<defectdojo-public-url>/complete/google-oauth2/?state=zcdf7miQNPvWCuIR6HVSz1BzYLSNo7Xe&code=4%2F0AdQt8qh4uuehZ82fvSdcfs2dWRS-GuZr5TsN-TFVOh0bdUhChlFazlkSDeNsKWaD_2BhHQ&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&hd=<mydomain.com>&prompt=none

Django Version: 3.2.14
Python Version: 3.8.13
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'polymorphic',
 'django.contrib.admin',
 'django.contrib.humanize',
 'gunicorn',
 'auditlog',
 'dojo',
 'watson',
 'tagging',
 'imagekit',
 'multiselectfield',
 'rest_framework',
 'rest_framework.authtoken',
 'dbbackup',
 'django_celery_results',
 'social_django',
 'drf_yasg',
 'drf_spectacular',
 'tagulous',
 'django_prometheus')
Installed Middleware:
['django_prometheus.middleware.PrometheusBeforeMiddleware',
 'django.middleware.common.CommonMiddleware',
 'dojo.middleware.DojoSytemSettingsMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'dojo.middleware.LoginRequiredMiddleware',
 'social_django.middleware.SocialAuthExceptionMiddleware',
 'watson.middleware.SearchContextMiddleware',
 'auditlog.middleware.AuditlogMiddleware',
 'crum.CurrentRequestUserMiddleware',
 'dojo.request_cache.middleware.RequestCacheMiddleware',
 'django_prometheus.middleware.PrometheusAfterMiddleware']

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/usr/local/lib/python3.8/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/oauth.py", line 401, in auth_complete
    return self.do_auth(response['access_token'], response=response,
  File "/usr/local/lib/python3.8/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/oauth.py", line 413, in do_auth
    return self.strategy.authenticate(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_django/strategy.py", line 105, in authenticate
    return authenticate(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/__init__.py", line 76, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 80, in authenticate
    return self.pipeline(pipeline, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 83, in pipeline
    out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 113, in run_pipeline
    result = func(*args, **out) or {}
  File "/usr/local/lib/python3.8/site-packages/social_core/pipeline/social_auth.py", line 14, in auth_allowed
    raise AuthForbidden(backend)

Exception Type: AuthForbidden at /complete/google-oauth2/
Exception Value: Your credentials aren't allowed

Steps to reproduce Steps to reproduce the behavior:

Enable debug mode
Go to defectdojo login URL
Click on Login with Google Button
See error

Expected behavior A clear and concise description of what you expected to happen.

Deployment method (select with an X)

[ ] Docker Compose
[x] Kubernetes
[ ] GoDojo

Environment information

Operating System:

defectdojo@defectdojo-django-84767bf788-f8bf7:/app$ uname -a
Linux defectdojo-django-84767bf788-f8bf7 5.4.188+ #1 SMP Sun Apr 24 10:03:06 PDT 2022 x86_64 GNU/Linux