search

pyeve / flask-sentinel

OAuth2 Server bundled as a Flask extension
Other
160 stars 43 forks source link

Authorization not working #26

Open Reriiru opened 7 years ago

Reriiru commented 7 years ago

Hello, I've been looking to implement this in my API, but there is a great big issue. The code example from "How to" doesn't really work and also flask.ext.sentinel is deprecated.

But it doesn't stop here. There is a way bigger issue. Authorization does not work for some weird reason. It puts data to both mongo and redis, it gives back token, but token itself does not work. Here, let me show you.

First we ask for a token:

$ curl -k -X POST -d "client_id=ByeNJDStsI13Hs8ztYXloMpGhsWGpsEfBUVtk5Jl&grant_type=password&username=reriiru&password=secret" http://localhost:5000/oauth/token

{"refresh_token": "C1YHlcWngjVp13LXwKcghINWG3iptt", "access_token": "BXNMYTKQUGMtlCWUHeTC2Qy1U8YiJ6", "token_type": "Bearer", "expires_in": 3600, "scope": ""}

Everything is fine. Then we try to use it to get to our endpoint:

$ curl -H "Authorisation: Bearer BXNMYTKQUGMtlCWUHeTC2Qy1U8YiJ6" http://127.0.0.1:5000/endpoint
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>401 Unauthorized</title>
<h1>Unauthorized</h1>
<p>The server could not verify that you are authorized to access the URL requested.  You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.</p>

And it sends us to hell! Instead we check up on mongo and redis and see what we get.

$ redis-cli
127.0.0.1:6379> get BXNMYTKQUGMtlCWUHeTC2Qy1U8YiJ6
"5970ad0468f165346f067fb2"
127.0.0.1:6379> 

$ mongo
MongoDB shell version: 3.2.11
connecting to: test
> use oauth
switched to db oauth
> db.tokens.find()
{ "_id" : ObjectId("5970e15d347fc57b83f1828b"), "user_id" : ObjectId("5970ad0468f165346f067fb2"), "expires" : ISODate("2017-07-20T17:59:09.312Z"), "refresh_token" : "C1YHlcWngjVp13LXwKcghINWG3iptt", "token_type" : "Bearer", "access_token" : "BXNMYTKQUGMtlCWUHeTC2Qy1U8YiJ6", "scopes" : [ "" ], "client_id" : "ByeNJDStsI13Hs8ztYXloMpGhsWGpsEfBUVtk5Jl", "user" : null }

Looks dandy to me. Everything is where is should be, except it has ObjectId in user_id in mongo for some reason. All the ID's match. And still it does not authorize my user. What went wrong, guys?

A hasty edit: Here is the python version I am using:

$ python
Python 3.5.3+ (default, Jun  7 2017, 23:23:48)
[GCC 6.3.0 20170516] on linux

If needs be I can attach all the package versions in that venv.

Reriiru commented 7 years ago

I've found out what was going on.

My bad, I was turing off SSL due to OpenSSL not working properly and this is the result of me doing that. My friend tested that on a separate machine where OpenSSL is not an issue, everything worked.

I'l leave this issue open for two reasons. 1) Using no SSL should be an option in my opinion. I do not see a reason why should my say... NGINX to Gunicorn connection be encrypted while the NGINX already encrypts transport level on the outside. Having an encrypted local traffic is a waste of time in a wast amount of cases. 2) Even if this project would never let me use None as my ssl_context it should at least raise an appropriate exception at some point. Because it's not clear whether it was actually related to me using no ssl, or it was something completely unrelated.

Thank you for your time!