New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flask RemoteApp.authorize_access_token() includes state parameter in request #16

Closed
lyschoening opened this Issue Jan 18, 2018 · 6 comments

Comments

Projects
None yet
2 participants
@lyschoening

lyschoening commented Jan 18, 2018

When following the typical authorization flow, the access token is requested from the authorization redirect URI. The RemoteApp implementation for Flask copies all request arguments of this callback and attaches them to the request for the authorization token.

@app.route('/authorize')
def authorize():
    token = oauth.google.authorize_access_token()
    # ...

params = request.args.to_dict(flat=True)

The request arguments to the callback include "state", which does not need to be submitted with the request for the access token. Due to this, the Google API will respond with an error: "Parameter not allowed for this message type: state".

@lepture

This comment has been minimized.

Owner

lepture commented Jan 18, 2018

@lyschoening Did you try the Google connect on https://play.authlib.org/ ? Which works pretty well.

Besides, that state is recommended to be included in authorization request according to RFC:
https://tools.ietf.org/html/rfc6749#section-4.1.1

@lepture lepture added the invalid label Jan 18, 2018

@lyschoening

This comment has been minimized.

lyschoening commented Jan 22, 2018

@lepture Is https://play.authlib.org/ a Flask app/sending the state parameter?

I'm authorizing through https://accounts.google.com/o/oauth2/token, not https://www.googleapis.com/oauth2/v4/token, which could explain why the behavior is different.

Google's documentation does not mention a state parameter
https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code and from reading around it seems this is known non-standard behavior in Google's API.

@lyschoening

This comment has been minimized.

lyschoening commented Jan 22, 2018

I should add that state isn't the only parameter being forwarded. Every parameter on the callback response is forwarded (authuser, session_state, prompt in this case).

@lepture

This comment has been minimized.

Owner

lepture commented Jan 22, 2018

@lyschoening Is there any reason that you have to use https://accounts.google.com/o/oauth2/token instead of https://www.googleapis.com/oauth2/v4/token

I'm ok to change the default behavior of request.args.to_dict(flat=True). But state will always be included, I don't think https://accounts.google.com/o/oauth2/token has done OAuth 2 right.

@lyschoening

This comment has been minimized.

lyschoening commented Jan 22, 2018

@lepture It's the URL in the configuration the Google Cloud console returns when you create an OAuth client for a web application.

lepture added a commit that referenced this issue Jan 23, 2018

@lepture

This comment has been minimized.

Owner

lepture commented Jan 23, 2018

@lyschoening I've cleaned up params in authorize_access_token.

Here is the endpoints that I found for Google: https://accounts.google.com/.well-known/openid-configuration

@lepture lepture closed this Jan 24, 2018

@lepture lepture added the spec label Jan 24, 2018

lepture added a commit that referenced this issue Feb 1, 2018

Fix missing code value.
This bug is introduced by #16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment