I'm working on a legacy app for a client, i'm having a weird issue in django 1.6.10 at the very end of the oauth2 conversation using requests-oauthlib 1.3.0. The Django app is the oauth2 client and Wordpress is the ID provider (i'm using the Wordpress OAuth Server plugin). Basically, i can exchange the auth code for an access token just fine, but when i try to then retrieve a protected resource from Wordpress (/oauth/me) using that access token, i get a 403 forbidden error in django. HOWEVER, when i take that same access token to Postman and issue a POST request to /oauth/me with Authorization=Bearer , i get the protected user info back from WP just fine. Maybe it's something to do with the headers, or maybe the client scope (which is 'basic'), or something to do with how i am requesting the token? I'm stepping thru the OAuth2Session class from requests-oauthlib to see what might be going haywire. Someone having experience with this lib will maybe know already what is happening? Thanks in advance! Code is below.
def oauth_init(request):
wordpress = OAuth2Session(WORDPRESS_CLIENT_ID, redirect_uri=WORDPRESS_REDIRECT_URI)
authorization_url, state = wordpress.authorization_url(WORDPRESS_AUTHORIZE_ENDPOINT)
request.session['oauth_state'] = state
return redirect(authorization_url)
def oauth_authorize(request):
wordpress = OAuth2Session(WORDPRESS_CLIENT_ID,
state=request.session['oauth_state'],
redirect_uri=WORDPRESS_REDIRECT_URI,
scope="basic")
token = wordpress.fetch_token(token_url=WORDPRESS_ACCESSTOKEN_ENDPOINT,
include_client_id=True,
client_secret=WORDPRESS_CLIENT_SECRET,
code=request.GET["code"],
headers={"User-Agent": "None"})
request.session['oauth_token'] = token
return redirect("/wp_profile")
def wp_profile(request):
wordpress = OAuth2Session(WORDPRESS_CLIENT_ID,
token=request.session['oauth_token'])
user = wordpress.get('https://imsestage.wpengine.com/oauth/me') # <-- this is failing with 403
return json.dumps({user})
I'm working on a legacy app for a client, i'm having a weird issue in django 1.6.10 at the very end of the oauth2 conversation using requests-oauthlib 1.3.0. The Django app is the oauth2 client and Wordpress is the ID provider (i'm using the Wordpress OAuth Server plugin). Basically, i can exchange the auth code for an access token just fine, but when i try to then retrieve a protected resource from Wordpress (/oauth/me) using that access token, i get a 403 forbidden error in django. HOWEVER, when i take that same access token to Postman and issue a POST request to /oauth/me with Authorization=Bearer , i get the protected user info back from WP just fine. Maybe it's something to do with the headers, or maybe the client scope (which is 'basic'), or something to do with how i am requesting the token? I'm stepping thru the OAuth2Session class from requests-oauthlib to see what might be going haywire. Someone having experience with this lib will maybe know already what is happening? Thanks in advance! Code is below.