search

googlearchive / PyDrive

Google Drive API Python wrapper library
Other
1.31k stars 273 forks source link

PyDrive auth.py adding "/" to end of redirect uri #188

Open DaddioD opened 4 years ago

DaddioD commented 4 years ago

Changed line 219 from

oauth_callback = 'http://%s:%s/' % (host_name, port_number)

to

oauth_callback = 'http://%s:%s' % (host_name, port_number)

and it has fixed the problem. Will this cause a problem with anything else.

shcheklein commented 4 years ago

@DaddioD could you clarify, what problem did this change fix, please?

DaddioD commented 4 years ago

For me, the additional "/" was causing a redirect_uri not valid error. This caused verification to not complete.

On Fri, Feb 14, 2020, 6:44 PM Ivan Shcheklein notifications@github.com wrote:

@DaddioD https://github.com/DaddioD could you clarify, what problem did this change fix, please?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gsuitedevs/PyDrive/issues/188?email_source=notifications&email_token=AM23TRKP4BFCM2HX44UPOZ3RC43IPA5CNFSM4KVDEEYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEL24UPI#issuecomment-586533437, or unsubscribe https://github.com/notifications/unsubscribe-auth/AM23TROR3VQUWSFTFZKRWWDRC43IPANCNFSM4KVDEEYA .

shcheklein commented 4 years ago

@DaddioD could you please provide more details still? Minimal script that reproduces this for you would be great. Otherwise a code snippet you run.

nuertey commented 4 years ago

I can confirm this issue as well. Running the out-of-the-box basic examples gives me this error:

Authorization Error
Error 400: redirect_uri_mismatch
The redirect URI in the request, http://localhost:8080/, does not match the ones authorized for the OAuth client.

Making the same change in auth.py as @DaddioD allows the authentication flow to complete. So simply remove the slash appending the URI on line 219. Nuertey

shcheklein commented 4 years ago

@nuertey could you check your OAuth credentials and consent screen settings? Do you have anything set in the Authorized domains field?

Screen Shot 2020-05-25 at 4 38 40 PM
shcheklein commented 4 years ago

I've just tested it again (on the fork PyDrive2 that we maintain) and it works for me:

pydrive2/test/test_oauth.py::GoogleAuthTest::test_01_LocalWebserverAuthWithClientConfigFromFile Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?client_id=217948389181-rs7it4a635b3qrf8dnmklmoj2kimun9n.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&access_type=offline&response_type=code

Authentication successful.
PASSED

Mind the redirect_uri that ends with / (%2F).

It means that either your App settings are too restrictive (in my case the field is empty) or something else is happening.

nuertey commented 4 years ago

Indeed @shcheklein, I do have information in the Authorized domains field. I was under the impression that Google needed that field to even accept the new configuration. Here is my screenshot: My Consent Screen

shcheklein commented 4 years ago

Check also this screen, the one that defines authorized redirect URIs:

Screen Shot 2020-05-26 at 3 23 17 PM Screen Shot 2020-05-26 at 3 22 26 PM

I would try:

  1. leave all fields empty
  2. try to add http://localhost:8080/ to the list.
nuertey commented 4 years ago

That would make sense; that adding a slash in the Authorized URIs configuration would cause the authentication flow to successfully complete. However, as you can see from my attachment, Google Cloud Platform prevents the slash in the Authorized JavaScript origins URIs. As one would expect, logically, the error then shown is:

 Invalid Origin: URIs must not contain a path or end with "/".

So it would not be consistent anyway if it were to allow it in the Authorized redirect URIs. The question though to ask is, what would be the more logical design choice? Does the slash really belong with the URI expected in the configuration? Or should the script rather ensure that any composed URIs do not append the extraneous slash? Nuertey

Authorized URIs

shcheklein commented 4 years ago

@nuertey you are probably right, and it's indeed most likely should be fixed on the library level - I'm just trying to understand the proposed change better and the scope of the problem, and if there was a reason to add that trailing slash in the first place.

The thing I don't quite understand is why removing `/' w/o changing app configuration (authorized URLs, etc) helped in your and @DaddioD case. Do you have any idea? What was you setup exactly?

nuertey commented 4 years ago

Excellent. Thanks.

Indeed, you are approaching it sensibly for we do not know what other consequences the change might have. I think that that is why @DaddioD asked the question in the first place. He too wondered why the trailing slash in the first place and whether a change to it might cause issues elsewhere. So you are approaching the issue resolution correctly.

For my setup, it makes perfect sense. The config expected a plain URI without a slash, and the script offered a URI with a slash, hence, the mismatch:

Authorization Error
Error 400: redirect_uri_mismatch
The redirect URI in the request, http://localhost:8080/, does not match the ones authorized for the OAuth client.

I cannot speak for @DaddioD's setup though. @DaddioD, can you chime in with your Google Cloud Platform config for the OAuth 2.0 client Authorized URIs? Also, if you can append the original error you observed, much as I did above, it would help @shcheklein in scoping out this issue better. Thank you both. Nuertey

shcheklein commented 4 years ago

@nuertey thanks! so, just to confirm - you had http://localhost:8080 specified in the Authorized URIs from the very beginning? And it does not allow to put one with the trailing slash there?

nuertey commented 4 years ago

That is correct.

shcheklein commented 4 years ago

Okay, I ran a few experiments. This issue happens if OAuth client type is WebApp and Authorized redirect URIs does not include http://localhost:8080/ (including the trailing /).

It looks like more of a lack of documentation + a strange convention, but not a bug. Since a redirect URI has to be specified anyway, and it can be specified with or w/o the trailing /.

eashanadhikarla commented 4 years ago

I am using "http://localhost:8080" for both Authorized redirect and Authorized JS. Still it gives the error "Authorization Error Error 400: redirect_uri_mismatch The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for a native application. It is not allowed for the WEB client type. You can create a Client ID for native application at https://console.developers.google.com/apis/credentials/oauthcli"

I am not sure, my Credentials are on Client Id with Application type: WebApp.

Currently, I encounter this error when I am running the Quickstart program from the remote linux server. And for doing that I am using "gauth.CommandLineAuth" by replacing "gauth.LocalWebserverAuth()".

janderson77 commented 4 years ago

The Authorized JavaScript origins field cannot have a trailing "/", however the Authorized redirect URIs can.

After experiencing this issue and adding the trailing slash to the Authorized redirect URIs I was able to authenticate without an issue