Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 backend uses incoming request's URI scheme for redirect_uri #281

Closed
rene-armida opened this issue Mar 6, 2012 · 1 comment
Closed

OAuth2 backend uses incoming request's URI scheme for redirect_uri #281

rene-armida opened this issue Mar 6, 2012 · 1 comment

Comments

@rene-armida
Copy link
Contributor

Overview

OAuth2 is sensitive to guaranteeing encrypted communication of tokens. The OAuth2 backends in django-social-auth use the scheme part of the incoming request, e.g. http://' or https://, as the basis for the 'redirect_uri` parameter sent with the user's redirect to the provider.

This is a problem if SSL is handled separate from the application's server, e.g. by a reverse proxy. It also causes a problem if the app is hosted on a cloud platform service like heroku, in which the routing mesh also segregates SSL. From django's point of view, all incoming requests are via plain HTTP.

To reproduce

  • create a django project that includes django-social-auth and django-meetup-auth.
  • serve the app's SSL behind a reverse proxy
  • go to https://yourapp/login/meetup/
  • the browser is redirected to https://secure.meetup.com/ with the redirect_uri query var starting in http://yourapp/.... This causes Meetup to respond with a page "Invalid Authorization request; If you were directed here by another application, contact its developer".
  • if you change the redirect_uri in your current query string to begin with https:// instead of http://, Meetup stops complaining.
  • if you originally navigated to http://yourapp/login/meetup instead of via https://, you get the same behavior

Analysis

My non-expert analysis of the problem:

  • the request gets routed to social_auth.views.auth_process via auth
  • the view calls backend.auth_url() to get the full URL to redirect the browser to the OAuth provider
  • BaseOAuth2.auth_url sets the redirect_uri query string component to self.redirect_uri
  • BaseOAuth.__init__ builds self.redirect_uri via self.request.build_absolute_uri(self.redirect)
  • django.http.HttpRequest.build_absolute_uri uses is_secure
  • django.http.HttpRequest.is_secure looks at HTTPS in the environment to give a yea/nay

This implies that the issue should strike for any OAuth2 exchange behind a reverse proxy, not just for Meetup.

Workaround

Here's a cheesy monkey patch to dodge this problem:
https://gist.github.com/1983212

I put this into my app's models.py, and the behavior went away.

What's the best way to fix this? Maybe provide settings to override the auto-calculation of redirect_uri from routes? Or find a way to guarantee 'HTTPS' is on in the environment?
@omab
Copy link
Owner

omab commented Mar 11, 2012

Thanks, this needs to be addressed.

@omab omab closed this as completed in 4376847 Apr 16, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@omab @rene-armida