search

requests / requests-oauthlib

OAuthlib support for Python-Requests!
https://requests-oauthlib.readthedocs.org/
ISC License
1.72k stars 424 forks source link

State not equal in request and response #458

Open mooyg opened 2 years ago

mooyg commented 2 years ago

Getting an error oauthlib.oauth2.rfc6749.errors.MismatchingStateError: (mismatching_state) CSRF Warning! State not equal in request and response 

@router.get("/github", response_class=RedirectResponse)
async def github():
    authorization_url, state = github_oauth.authorization_url(authorization_base_url)
    return authorization_url

@router.get("/callback")
async def authorize(code: str):
    github_oauth.fetch_token(
        token_url, client_secret=client_secret, authorization_response=code
    )
    r = github_oauth.get("https://api.github.com/user")
but when I log state inside `github` function it logs same as in the query param `state` of the callback url
JonathanHuot commented 2 years ago

Hi, Can you tell us how are you creating github_oauth and when? We can't see how are you using the state variable in this example ? Thanks

alysivji commented 1 year ago

I experienced a similar issue re: not being able to exchange tokens due to the state parameter. Turns out it's because the OAuthSession keeps track of the state it generated earlier and then there is validation against the authorization_response if that parameter is used.

You can by-pass the state validation by passing in the code parameter versus the authorization_response parameter, i.e.

oauth_client.fetch_token(token_url, client_secret=client_secret, code=code)