Facebook authorization works locally but not on production: "Authentication credentials were not provided."

[andreyshipilov]

Hello. I'm testing the same Django application locally and on production server and it fails to work for the production environment.

This is the pip list for both servers:

...
Django (1.7.9)
django-rest-authemail (0.1.4)
django-rest-framework-social-oauth2 (0.0.8)
djangorestframework (3.1.3)
python-openid (2.2.5)
python-social-auth (0.2.12)
...

The Django application code comes from GIT and dev/prod environment is separated by using different settings files. The difference between dev.py and production.py is currently minimal and basically just controlling the DB settings and ALLOWED_HOSTS.

The Oauth2 provider Application in both cases set to the same name and permissions. The request that I'm doing to localhost/api/convert-token and onlineserver/api/convert token is this:

curl -H "Authorization: Bearer facebook <facebook_access_token>" <url>/api/convert-token/

Doing it to a local server responses with:

{"access_token":"EAyNXqPodr6rPseg5CubASPmVBx9vg","token_type":"Bearer","expires_in":86399,"refresh_token":"7EmzTqZtHE22Zloe4dYfNaZWiamGST","scope":"read write"}

Doing it the online one:

{"detail":"Authentication credentials were not provided."}

The Facebook application is configured to use the domain name that is online, I thought that may be a problem, looks like it's not.

Am I missing something?

[andreyshipilov]

Ok, I have no idea what's going on, but... I tried the same SQLite DB that I use for local development on the online server. Basically I made two copies of my local database. Names them online.dev.db and online.prod.db. Configured corresponding settings to use two different files.

Then I ran ./manage.py runserver ON the online server itself from SSH, so basically running dev server online. Then from Python running locally I just did:

import requests

header = {'Authorization': 'Bearer facebook <here_is_the_actual_valid_token>'}
url = "http://localhost:8000/api/convert-token/"
rq = requests.get(url, headers=header)

print rq.text
>>> u'{"access_token":"5AkOEh8m2RA89h39MWqLPCuAXzVqPP","token_type":"Bearer","expires_in":86399,"refresh_token":"rGscLtjI78PjnrNtCYondUJuIJ75OR","scope":"read write"}'

So this uses the dev DB. Same request to "http://our-server-online.com/api/convert-token/" returns:

u'{"detail":"Authentication credentials were not provided."}'

On literally the same database... Am I going crazy?

[andreyshipilov]

Ok, if I'm using the online version of the Django app with a totally clean database which has just been created, synced and superuser created (no Provider Application added yet), requesting the convert-token url with a valid access token responds with the same:

u'{"detail":"Authentication credentials were not provided."}'

...as if there is nothing coming to the server from Curl.

[andreyshipilov]

Ok, looks like it was the Apache2 not accepting Authorization header. For some reason.

This helped http://stackoverflow.com/questions/18424055/authorization-header-and-apache-request-headers-function

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

[PhilipGarnero]

Well, glad you figured it out by yourself ! 👍