How to debug 'MismatchingStateError'

[NotaLabs]

Hello,
i was trying to connect to the OneDrive REST Api using oauthlib. I am able to create an authorization url, but when it comes to fetching a token, my programm throws an exception.

from requests_oauthlib import OAuth2Session


client_id = '3753a627-146e-4137-8f6e-8c561547551b'
client_secret = 'xxxxxxxxxxxxxxxxxxxxxxx'
redirect_uri = 'https://localhost:8080'

#OAuth Endpoints for OneDrive
authorization_base_url = "https://login.live.com/oauth20_authorize.srf"
token_url = "https://login.live.com/oauth20_token.srf"
scope = [
    "offline_access",
    "onedrive.readwrite",
    "wl.signin"
]



onedrive = OAuth2Session(client_id, scope=scope, redirect_uri=redirect_uri)

authorization_url, state = onedrive.authorization_url(authorization_base_url)
print('Authlink,', authorization_url)

redirect_response = input('Please enter the FULL Url: ')
onedrive.fetch_token(token_url, client_secret=client_secret,authorization_response=redirect_response)

C:\Users\Tim\AppData\Local\Programs\Python\Python35-32\python.exe C:/Users/Tim/PycharmProjects/copy+/onedriveconnect.py
Authlink, https://login.live.com/oauth20_authorize.srf?response_type=code&client_id=3753a627-146e-4137-8f6e-8c561547551b&redirect_uri=https%3A%2F%2Flocalhost%3A8080&scope=offline_access+onedrive.readwrite+wl.signin&state=sYQ8Lv2cLpV7QqZyujgfI9d7OmuhPE
Please enter the FULL Url: https://localhost:8080/?code=Mfac93b90-7dda-0c22-4000-8d7cb40ca384&state=sYQ8Lv2cLpV7QqZyujgfI9d7OmuhPE 
Traceback (most recent call last):
  File "C:/Users/Tim/PycharmProjects/copy+/onedriveconnect.py", line 25, in <module>
    onedrive.fetch_token(token_url, client_secret=client_secret,authorization_response=redirect_response)
  File "C:\Users\Tim\AppData\Local\Programs\Python\Python35-32\lib\site-packages\requests_oauthlib\oauth2_session.py", line 187, in fetch_token
    state=self._state)
  File "C:\Users\Tim\AppData\Local\Programs\Python\Python35-32\lib\site-packages\oauthlib\oauth2\rfc6749\clients\web_application.py", line 174, in parse_request_uri_response
    response = parse_authorization_code_response(uri, state=state)
  File "C:\Users\Tim\AppData\Local\Programs\Python\Python35-32\lib\site-packages\oauthlib\oauth2\rfc6749\parameters.py", line 227, in parse_authorization_code_response
    raise MismatchingStateError()
oauthlib.oauth2.rfc6749.errors.MismatchingStateError: (mismatching_state) CSRF Warning! State not equal in request and response.

Process finished with exit code 1

[Lukasa]

Looks like you didn't pass the state from the authorisation URL into fetch_token

[NotaLabs]

How do i do this ? The fetch_token() method doesnt accept a state parameter and technically i already passed the state by passing the redirect_response to fetch_token()

[Lukasa]

@NotaLabs Sorry, the state is implicitly persisted. The question is, why does the state from the passed-in URI not match? Visually they look the same, but perhaps there's a whitespace character in there. Can you change your code from redirect_response = input('Please enter the FULL Url: ') to redirect_response = input('Please enter the FULL Url: ').strip() and see if that helps?

[presnick]

@Lukasa: thank you for this suggestion! I had a similar problem (using a different API) and stripping off whitespace resolved it.

[bepetersn]

I had a similar error, and found that there was a little bit of url-encoded text "%27" occuring at the end of the URL, just after state, that wasn't part of state. Leaving this off allowed me to authenticate properly. I debugged using pdb and stepping into the OAuthSession's method to see what value it had for the _state field

[Seroleashed]

I am trying to use the shopify api. There is a python version but since I eventually want to move to php I am working with the request library. When trying to get the final access token I am also getting the "MismatchingStateError". But the state passed on the request and the state on the response are the same.
Here is my python code:

import requests
from requests_oauthlib import OAuth2Session
import urllib.parse as urlparse

APIKEY = r"6d4048f6c9976c4cd4c647a44abc7d10"
APISECRET = r"c07ef629983497135c6fd41ad7bbae59"
shop_name = "geek-ommerce-test1"
shop_base_url = shop_name+".myshopify.com"
authorization_url = "https://"+shop_base_url+"/admin/oauth/authorize"
token_url = "https://"+shop_base_url+"/admin/oauth/access_token"
redirect_url = "https://dustinlorenz.com/geek-ommerce/bot/index.php"

scope = ["write_products"]
oauth = OAuth2Session(APIKEY,redirect_uri=redirect_url,scope=scope,state=1)
authorization_url, state = oauth.authorization_url(authorization_url)
authorization_response = input('Enter the full callback URL').strip()
access_token = oauth.fetch_token(
        token_url=token_url,
        client_id=APIKEY,
        client_secret=APISECRET,
        authorization_response=authorization_response)

Again: The state stored in the variable "state" and the value in the url parameter "state" as well as the the variable passed to "OAuth2Session()" are 1. I also tried it without passing "state" to the function with the same result.

Any ideas what I am doing wrong?

Thank you very much in advance!

P.S. The app id and secret should work for you, too, in case you want to try it out. I won't use the same shopify app once everything is working. It's just for testing and debugging.

[Seroleashed]

I just tried it in a Python 2.7 variant but got the same issue.
Now the states are (for example):

 'YV2u9vzY0P6R27lcrk1WQO2iO1sjMY' (before)
u'YV2u9vzY0P6R27lcrk1WQO2iO1sjMY' (after)

Could that "u" already be the difference? And if so: How do I fix this? Because in this example I let OAuth2Session() take care of the "state"...

When I tried passing "1" to the OAuth2Session()-function I also get the Mismatch-Error although both states (before and after) are now "1".

Thanks again in advance.

[singingwolfboy]

It appears that there are several different people asking for help in this GitHub issue, with several different issues that are similar, but may have different causes. That makes it really hard to actually help anyone.

I'm going to close this GitHub issue. If you still have a problem that you haven't been able to resolve, please open a new, separate GitHub issue.

[nilbacardit26]

Actually the issue is "How to debug MismatchingStateError"

I am gonna try to bring some light as I encountered the same issue. I solved it by passing the FULL url in the response in the authorization_response: http://localhost:8090/callback?code=XXX&state=YYY&session_state=ZZZZ
Note that the url callback configured in my app is: http://localhost:8090/callback
I was not passing http://localhost, just /callback?code=XXX&state=YYY&session_state=ZZZZ
And that was causing the oauthlib.oauth2.rfc6749.errors.MismatchingStateError: (mismatching_state)
Seems obvious but I just wanted to note that. Besides, check that you state is the same and that there are not encoded characters.

[dzpt]

@nilbacardit26 the full url isn't that.
i have #_=_ suffix . should i pass it also?

[tldev]

I was debugging a similar issue. In my case, I was generating a uuid4() but was not converting to a string before persisting to the session, so the library was comparing UUID('e2355199-8096-4247-95c4-ede563fa1b2c') to 'e2355199-8096-4247-95c4-ede563fa1b2c'