Amazon oauth , client_id of None in url?

[meconlin]

I am attempting to use Django oauth with Amazon.
I have setup an application with amazon and placed my key/secret in settings.py

SOCIAL_AUTH_AMAZON_OAUTH2_KEY = ''blahkey'
SOCIAL_AUTH_AMAZON_OAUTH2_SECRET = 'blahblahblabhsecret' 

The request (which returns an Error from Amazon) is made to amazon with url like so:

https://www.amazon.com/ap/oa?ie=UTF8&response_type=code&scope=profile&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcomplete%2Famazon%2F&state=oRNdyN6ewMMA6zqkkPc2k8ntR20JNtp2&client_id=None

Notice the client_id=None in the url. Could this be an issue?

[meconlin]

Using these settings:

SOCIAL_AUTH_AMAZON_KEY = 'blahkey'
SOCIAL_AUTH_AMAZON_SECRET = 'blahblahblabhsecret'

appears to get client_id set in the url, but still fails.

[omab]

Yeah, your settings are wrong, they should be SOCIAL_AUTH_AMAZOM_KEY and SOCIAL_AUTH_AMAZOM_SECRET.

[meconlin]

AH nevermind, was whitelist issue at other end, once I had second settings in.
Thanks! Got it.

Thanks for all the hardwork, loving this package so far, have Twitter, Google, and Amazon working. LinkedIn not so much, have you been succesful using linkedin?

[omab]

Cool, good to know, I was testing it right now and worked as expected. The same with Linkedin (OAuth1 and OAuth2 versions).

[meconlin]

should the link to kick off linkedin oauth2 be /login/linkedin-oath2/ or simply /login/linkedin/

[omab]

/login/linkedin is for OAuth1, /login/linkedin-oauth2 is for OAuth2. The same keys work for both backends but they don't share the setting names, SOCIAL_AUTH_LINKEDIN_KEY and SOCIAL_AUTH_LINKEDIN_SECRET for OAuth1 backend, and SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY and SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET for OAuth2 backend.

[meconlin]

got it, thanks, do you a have a more detailed todo list anywhere, so I can pitch in a bit?

[omab]

You mean a TODO list with pending features to implement?

[meconlin]

absolutely

[omab]

There's no official TODO list, the main sections needed improvements are:

• Documentation
• Example application
• Tests (framework related tests)
• Support for more frameworks
• More backends

[andrewamanda]

Hi, I have spent hours but failed to set up the Python-social-oauth to work properly with Amazon. The request made to Amazon is exactly like the one meconlin posted:
https://www.amazon.com/ap/oa?ie=UTF8&response_type=code&scope=profile&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcomplete%2Famazon%2F&state=oRNdyN6ewMMA6zqkkPc2k8ntR20JNtp2&client_id=

But I kept getting 400 Bad Request:
The redirect URI you provided has not been whitelisted for your application

The "Allowed Return URL" I entered on the Amazon app console is:
https://localhost:8000/complete/amazon/

What else should be done to get it working?

Thank you
Andrew

[omab]

The URL in the link says http:// but your error message says https://, so what's the correct value? Is your local service running over SSL? Is your value in amazon settings set to https?

[andrewamanda]

That's what bothers me. Our local service is running over SSL, we tested this on our production server which is running SSL as well. But the link generated by the python-social-auth backend always translates to redirect_uri=http%3A%2F%2Flocalhost%3A8000...

On the Amazon app console, we can only define the https:// for the redirect_uri. If we try to save http://, it will give an error:

One of your website return urls is invalid. Ex: https://example.com/signin

[omab]

I guess that you are behind Nginx but not passing all the needed headers to tell the python framework that's running over SSL, try defining this setting:

SOCIAL_AUTH_AMAZON_REDIRECT_IS_HTTPS = True

[andrewamanda]

setting SOCIAL_AUTH_AMAZON_REDIRECT_IS_HTTPS to True did the trick on my local server. Thank you.

However it does not change anything on my production server which is running behind Nginx.

Any idea why this is so?

[omab]

Could you share the proxy definition?

[andrewamanda]

Yes, what part of the proxy definition are you looking for?

One of the production servers we are testing this on now is:

https://www.andrew-amanda.com/accounts/login/

Click the Login with Amazon button. You will see the error.

Does it give you any clue?

[omab]

The error doesn't help because it happens on Amazon, but it's clearly that the issue is the http:// redirect url. I'm interested in the headers being passed to the backend from nginx (specially the proxy_set_header calls.

[andrewamanda]

The only proxy definition which might be relevant is:
SetEnvIf X-Forwarded-SSL on HTTPS=1

Where is the proxy_set_header calls being made? Our django app does not make that call.

[omab]

And who's setting X-Forwarded-SSL to on?

[andrewamanda]

Our django app is hosted on a shared Nginx server. The X-Forwarded-SSL is set on the httpd.conf file belong to our django instance.

[omab]

So, you have an Nginx proxy in front of Apache, that nginx instance sets that header, Apache sets the HTTPS value to 1 if the header was defined, questions:

1. Do you see the value for X-Forwarded-SSL in your app?
2. Do you see the value for HTTPS=1 in your app?
3. What happens if you define this setting SECURE_PROXY_SSL_HEADER = ('HTTPS', '1')?

[andrewamanda]

yes, see the header dump:

'HTTP_HTTPS': 'on',
'HTTP_HTTP_X_FORWARDED_PROTO': 'https',
'HTTP_X_FORWARDED_PROTO': 'https',
'HTTP_X_FORWARDED_SSL': 'on',

I just tried the setting:

SECURE_PROXY_SSL_HEADER = ('HTTPS', '1')
or
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

It doesn't have an effect on the redirect_uri.

[omab]

Well, the header name is HTTP_HTTPS, so try with this value instead: SECURE_PROXY_SSL_HEADER = ('HTTP_HTTPS', 'on')

[andrewamanda]

no, it doesn't make a difference after setting it to: SECURE_PROXY_SSL_HEADER = ('HTTP_HTTPS', 'on')

[andrewamanda]

What are all the other possible settings for Amazon from the python-social-auth backend, besides:
SOCIAL_AUTH_AMAZON_KEY = '...'
SOCIAL_AUTH_AMAZON_SECRET = '...'
SOCIAL_AUTH_AMAZON_REDIRECT_IS_HTTPS = True

[omab]

I can't think of any other setting that manages the SSL protocol in URIs, setting SECURE_PROXY_SSL_HEADER to ('HTTP_X_FORWARDED_PROTO', 'https') or ('HTTP_HTTPS', 'on') should do the trick for Django to check if SSL is active in the current request. Also setting SOCIAL_AUTH_AMAZON_REDIRECT_IS_HTTPS = True which is a major override in the application to enforce https:// (check here https://github.com/omab/python-social-auth/blob/master/social/strategies/base.py#L113-L117 to see how it's used), check that the app is being restarted/reloaded properly, those settings should do the trick.

[andrewamanda]

should we set REDIRECT_IS_HTTPS to True, according to the code you referred to?

[omab]

You can set that value too but the setting method being invoked will check for the following names (and return the first one that's present): SOCIAL_AUTH_AMAZON_REDIRECT_IS_HTTPS, SOCIAL_AUTH_REDIRECT_IS_HTTPS, REDIRECT_IS_HTTPS.

[andrewamanda]

adding REDIRECT_IS_HTTPS solves the problem. But still not understanding why it is not picking up the
SOCIAL_AUTH_AMAZON_REDIRECT_IS_HTTPS

I'm wondering how meconlin was able to get it working. The redirect_uri he posted was clearly a http://, but Amazon App Console clearly states that it must be https://

Midnight here, continue tomorrow

[omab]

My bad, the setting is used at the strategy level and not the backend leve, so the backend name in the setting makes nothing, only SOCIAL_AUTH_REDIRECT_IS_HTTPS and REDIRECT_IS_HTTPS are taken into account.

[andrewamanda]

Thank you, that takes care of it.

Is there any logging mechanism available in the python-social-auth package which allows our app to keep track of the failed login attempts to those backends?

[omab]

There's no logging mechanism for that, but you can write a middleware that takes those cases into account and act accordingly.