Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2Session(client_id=client_id, client=client) return 403 error in production environment #232

Closed
maurizio-mariani opened this issue Apr 18, 2016 · 14 comments
Closed

OAuth2Session(client_id=client_id, client=client) return 403 error in production environment #232

maurizio-mariani opened this issue Apr 18, 2016 · 14 comments

Comments

@maurizio-mariani
Copy link

OAuth2Session(client_id=client_id, client=client) return 403 error in production environment.
Works good in localhost

In localhost and production environment I disabled OAUTHLIB_INSECURE_TRANSPORT
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
@maurizio-mariani
Copy link
Author

OAuth2Session(client_id=client_id, client=client, token=token).get(URL)

@Lukasa
Copy link
Member

Lukasa commented Apr 19, 2016

Are you sure your client id and token are valid for the production environment?

@maurizio-mariani
Copy link
Author

maurizio-mariani commented Apr 19, 2016
edited
Loading

Sure, I'm trying to use it for test my rest service. When I run it in localhost, it works good. In production, in virtual machine I obtain 403 error on my requests, the only difference is the environment.
If I use django.test.client requests work, even in production.

@Lukasa
Copy link
Member

Lukasa commented Apr 19, 2016

Does your use of the django test client actually do the OAuth dance?

@maurizio-mariani
Copy link
Author

Yes. Btw in my rest service implement only the client credential flow

@Lukasa
Copy link
Member

Lukasa commented Apr 19, 2016

So you're using the BackendApplicationClient? Is it appropriately configured?

Are there any backend differences between you running against localhost and running in production? Can you find any reason for the 403 in the logs?

@maurizio-mariani
Copy link
Author

Nothing in log, but my code

def get(self, request):
        operation = request.GET['operation']
        client_id = request.GET['client_id']
        secret = request.GET['client_secret']
        word = request.GET['word']
        word_type = request.GET['type']
        client = BackendApplicationClient(client_id=client_id)
        oauth = OAuth2Session(client=client, scope=['read', 'write'])
        import os
        os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
        try:
            token = request.session['oauth_token' + client_id]
            oauth = OAuth2Session(client=client, token=token, scope=['read', 'write'])
        except KeyError:
            oauth = OAuth2Session(client=client, scope=['read', 'write'])
            token = oauth.fetch_token(token_url="http:https://" + request.get_host() + '/o/token/', client_id=client_id, client_secret=secret)
            request.session['oauth_token' + client_id] = token
        try:
            if settings.DEBUG is True:
                url = "http:https://" + request.get_host() + self.apiUrls[
                    str(operation)] + "?word=" + word + "&type=" + word_type                
            else:
                url = "https://" + request.get_host() + self.apiUrls[
                    str(operation)] + "?word=" + word + "&type=" + word_type
            r = oauth.get(url)
        except TokenExpiredError:
            oauth = OAuth2Session(client_id=client_id, client=client)
            token = oauth.fetch_token(token_url="http:https://" + request.get_host() + '/o/token/', client_id=client_id, client_secret=secret)
            request.session['oauth_token' + client_id] = token            
            if settings.DEBUG is True:
                url = "http:https://" + request.get_host() + self.apiUrls[
                    str(operation)] + "?word=" + word + "&type=" + word_type
            else:
                url = "https://" + request.get_host() + self.apiUrls[
                    str(operation)] + "?word=" + word + "&type=" + word_type
            r = oauth.get(url)      
        if r.status_code == 403:
            del request.session['oauth_token' + client_id]
            return HttpResponseForbidden()
        return JsonResponse(r.content, safe=False)

@Lukasa
Copy link
Member

Lukasa commented Apr 19, 2016

I'd be very interested to know whether the control flow through this function is the same in both your localhost and production instances. Are you going to be able to safely discover that on your production deployment?

@maurizio-mariani
Copy link
Author

How could it be different? I'm running in debug mode even the production

@Lukasa
Copy link
Member

Lukasa commented Apr 19, 2016

@ilGuccio The function is complex enough and depends enough on external factors that it could be different. I'd like to rule that possibility out first. When debugging, simply assuming that the code is functioning as you expect is not good enough. We must prove it. =)

@maurizio-mariani
Copy link
Author

I'm truly confused, tryed to run the application on virtual machine via python manage.py runserver 0.0.0.0:8000 and access it by its public ip and it works :/

@Lukasa
Copy link
Member

Lukasa commented Apr 19, 2016

This is why I want you to trace the flow of execution: I don't think we know what's going on here.

@maurizio-mariani
Copy link
Author

maurizio-mariani commented Apr 20, 2016
edited
Loading

Solved, the problem was Apache configuration
http:https://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration
Need to set WSGIPassAuthorization On

@Lukasa
Copy link
Member

Lukasa commented Apr 20, 2016

Aha, thanks for following up! ✨

@Lukasa Lukasa closed this as completed Apr 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lukasa @maurizio-mariani