search

cevoaustralia / aws-google-auth

Provides AWS STS credentials based on Google Apps SAML SSO auth (what a jumble!)
MIT License
537 stars 181 forks source link

ERROR:root:'NoneType' object has no attribute 'get' #147

Closed vkatsikaros closed 4 years ago

vkatsikaros commented 4 years ago

Hello

I think I ran into an additional google response than #52 #3 #90 .

I run aws-agoogle-auth from within an EC2 instance, that is my "workstation" and I get this. At the same time with the same google password aws-google-auth works from my laptop

ERROR:root:'NoneType' object has no attribute 'get'
Traceback (most recent call last):        
  File "/usr/local/lib/python2.7/dist-packages/aws_google_auth/__init__.py", line 72, in cli
    process_auth(args, config)
  File "/usr/local/lib/python2.7/dist-packages/aws_google_auth/__init__.py", line 212, in process_auth
    google_client.do_login()
  File "/usr/local/lib/python2.7/dist-packages/aws_google_auth/google.py", line 294, in do_login
    sess = self.handle_prompt(sess)
  File "/usr/local/lib/python2.7/dist-packages/aws_google_auth/google.py", line 542, in handle_prompt
    'data-api-key': True
AttributeError: 'NoneType' object has no attribute 'get'
  1. added a print(sess.url) at https://github.com/cevoaustralia/aws-google-auth/blob/165e8636cdf58d2691c38fe67028ffdbb174aeb4/aws_google_auth/google.py#L279
  2. added a print(response_page) at https://github.com/cevoaustralia/aws-google-auth/blob/165e8636cdf58d2691c38fe67028ffdbb174aeb4/aws_google_auth/google.py#L488

The sess url was https://accounts.google.com/signin/challenge/az/2?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Finitsso%3Fidpid%3D123123%26spid%3D123123%26forceauthn%3Dfalse%26from_login%3D1%26as%3D123123%26authuser%3Dunknown&sarp=1&scc=1&checkedDomains=youtube&pstMsg=0&TL=123123 (I replaced the IDs with "123123")

And the response from google aws-google-auth

I then used SOCKS/Firefox, opened the page using my EC2 instance as a proxy and completed the verification process.

After I completed the verification process, I could use aws-google-auth as expected. I managed to find the solution to the problem but the issue was quite obscure and debugging required quite a lot of effort (for example I first tried to find out if my python/pip setup matched my laptop's one). I am not sure if aws-google-auth can handle the phone verification from the command line. An improvement would be to show a more informative message to the user and provide the html verification page without a lot of fuzz.

christoph-buente commented 4 years ago

I had the same problem. Turns out, i had a G-Suite and a normal Google account with the same email address, and it was prompting, which one i wanted to use. After i removed the private account, it worked like a charm.

Bildschirmfoto 2019-10-25 um 10 24 11

stevemac007 commented 4 years ago

There is a save-failure-html flag that should do the same thing as what you needed to to do manually. This helps in tracking down the changes that Google make to their SSO workflow given this integration is working on reverse engineering the webpage flows.

 --save-failure-html   Write HTML failure responses to file for
                        troubleshooting.

Does this trap and collect the information the same way you did?

christoph-buente commented 4 years ago

There is a save-failure-html flag that should do the same thing

Thanks @stevemac007! I learned it the hard way, but eventually i figured out there was a flag for it.

vkatsikaros commented 4 years ago

Thanks @stevemac007 I hadn't noticed!