search

python-social-auth / social-app-django

Python Social Auth - Application - Django
BSD 3-Clause "New" or "Revised" License
1.97k stars 368 forks source link

Google OAuth not working on production server (hosted on heroku), works fine on localhost #577

Open Zimmerr opened 2 weeks ago

Zimmerr commented 2 weeks ago

I've been working on a small project that uses Google OAuth, and it worked perfectly until i had to put it on production. The errors only happen in production and doesnt seem to be related with incorrect URIs because i double checked all of them but i might be wrong

I'm hosting the front-end of my project on GitHub Pages, and the back-end (this Django API) on Heroku. When hosting both on localhost i can log-in normally, but when trying to do it on production, i get the following error:

{non_field_errors: ["Session value state missing."]}

For the looks of it, maybe i was not properly sending the state, but i was, both state and code were being sent correctly

The big difference I noticed between the local payload and the production one are some headers, main difference was the Cookies header missing on the production one, and they had a sessionid and a csrftoken on it, but i could not find any way to send those Cookies on the header, neither the reason of why they aren't being sent to the production API, only the local one

After not having any sucess, i tried the desperate measure of overriding the default GoogleOAuth2 class to get rid of the state error by doing this:

class GoogleOAuth2(google.GoogleOAuth2):
    STATE_PARAMETER = False

And putting this on settings:

AUTHENTICATION_BACKENDS = (
    'ballersAPI.autenticacao.models.GoogleOAuth2',
    'django.contrib.auth.backends.ModelBackend'
)

But still, i got the following response from backend:

{non_field_errors: ["Authentication process canceled"]}

Now i'm completely out of ideas, i also tried changing the following settings but neither adding or removing them helped in any form

DEBUG = False
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_HEADERS = ["Authorization", "Content-Type", "Accept", "Cookie"]
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
Those are my auth related relevant settings.py lines if you guys need them to investigate the problem:

DJOSER = {
    'LOGIN_FIELD': 'email',
    'SOCIAL_AUTH_TOKEN_STRATEGY': 'ballersAPI.strategy.TokenStrategy',
    'SOCIAL_AUTH_ALLOWED_REDIRECT_URIS': ['http://localhost:3000',
                                          'http://127.0.0.1:3000',
                                          'https://zimmerr.github.io/ballers-frontend/'],
}

AUTHENTICATION_BACKENDS = (
    'social_core.backends.google.GoogleOAuth2',
    'django.contrib.auth.backends.ModelBackend'
)

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = config('GOOGLE_CLIENT_ID')
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = config('GOOGLE_CLIENT_SECRET')
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
    'https://www.googleapis.com/auth/userinfo.email',
    'https://www.googleapis.com/auth/userinfo.profile',
    'openid'
]
SOCIAL_AUTH_GOOGLE_OAUTH2_EXTRA_DATA = ['first_name', 'last_name']
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True