-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POST method fails with urllib>=1.26.0 for https://android.clients.google.com/auth #2101
Comments
I can reproduce on macOS. I ran I'm not the only one seeing a correlation between ALPN and BadAuthentication, see kiwiz/gkeepapi#69 (comment). For now it looks like https://android.clients.google.com/auth just likes to drop suspicious requests, and urllib3 1.26 became suspicious due to ALPN. But that's not the only issue, I'll continue to investigate. |
I investigated it also a bit more. Additional to ALPN it seems to be also related to |
I agree @finkandreas - I don't think there's a good way to "fix" this in urllib3. |
@crwilcox Would it be possible to report to the team in charge of https://android.clients.google.com/auth that urllib3/requests (ie. most of the Python ecosystem) can't authenticate anymore since urllib3 1.26.0? Each of this two changes is enough on its own to get BadAuthentication 100% of the time:
|
@pquentin I took a moment and ran the repro. It seems to me that perhaps the payload is being manipulated? if I run the POST the Also the following will repro the behavior, and doesn't involve
Log For Working:
Log for Not Working
|
@crwilcox I have adapted your example so it also works with urllib3-1.26.3 for me now:
|
Google doesn't like all chipers in newest versions as described here: urllib3/urllib3#2101
@lucasknopp this is not the place to ask that question. We're not Node developers and we're not going to research this for you |
@89z this sounds interesting, thank you for the pointer. Could you elaborate a little on how this could be used to set up a working |
Subject
This issue baffles me a little bit, because I cannot understand why it fails. Basically I am unable to login to my google account when I'm using urllib>=1.26.0. But let me first describe the environments that I am using and how they are setup:
Environment
I am using python-3.8.6
WORKING:
BROKEN:
Steps to Reproduce
Expected Behavior
I would expect that both versions will allow to login to the google account
Actual Behavior
It works with urllib3-1.25.11 but fails with urllib3>=1.26.0 (The response is 403 'Error=BadAuthentication'). I am logging the data that is sent to the server and it looks correct. Actually one can reduce the test case once the
EncryptedPasswd
is known, and create a pure POST request with requests (and get gpapi out of the equation).This request will work with urllib3-1.25.11 and give a 403 with urllib3>=1.26.0. It is absolutely unclear to me what is different, because the data that is sent to the server is according to the logging exactly the same, so I do not see what the difference between the two POST requests is.
The text was updated successfully, but these errors were encountered: