Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(insecure_transport) OAuth 2 MUST utilize https. #287

Open
cosbgn opened this issue Aug 31, 2017 · 14 comments
Open

(insecure_transport) OAuth 2 MUST utilize https. #287

cosbgn opened this issue Aug 31, 2017 · 14 comments

Comments

@cosbgn
Copy link

cosbgn commented Aug 31, 2017

My site is fully SSL secured. Yet when I try to exchange the code I get this:
(insecure_transport) OAuth 2 MUST utilize https..
Chrome shows me the following message:
The page includes a form with a non-secure "action" attribute.

Yet I can't really figure out what the problem is. I double checked and the only requests I made are to the Google Apis which are fully secured.

My function looks like this:

def exchange_code(request): #/setup
    oauth = get_oauth()
    authorization_code = request.build_absolute_uri()

    try:
        token = oauth.fetch_token(
                                'https://accounts.google.com/o/oauth2/token',
                                authorization_response=authorization_code,
                                client_secret=settings.GOOGLE_OAUTH2_CLIENT_SECRET)
    except MissingCodeError as error:
        return error_page(request, error)

What can be the problem?
@cosbgn
Copy link
Author

cosbgn commented Aug 31, 2017

I've removed everything from the function which could lead to the problem and squeezed all in one, I even hardcoded the URL like this:

def exchange_code(request): #/setup
    scope = settings.GOOGLE_SCOPE
    client_id = settings.GOOGLE_OAUTH2_CLIENT_ID
    redirect_uri = 'https://analytic.localtunnel.me/setup'
    oauth = OAuth2Session(client_id, redirect_uri = redirect_uri, scope = scope)
    authorization_code = request.build_absolute_uri()

    try:
        token = oauth.fetch_token(
                                'https://accounts.google.com/o/oauth2/token',
                                authorization_response=authorization_code,
                                client_secret=settings.GOOGLE_OAUTH2_CLIENT_SECRET)
        return HttpResponse(token)
    except Exception as error:
        return HttpResponse(error)

The issue is not cause by localtunnel because it happens also in my dev server.

@cosbgn
Copy link
Author

cosbgn commented Aug 31, 2017

I arrived at the conclusion that this:

 token = oauth.fetch_token(
                            'https://accounts.google.com/o/oauth2/token',
                            authorization_response=authorization_code,
                            client_secret=settings.GOOGLE_OAUTH2_CLIENT_SECRET)

Causes chrome to say that The page includes a form with a non-secure "action" attribute.. However I still don't know how to fix it. Any ideas?

@Lukasa
Copy link
Member

Lukasa commented Aug 31, 2017

My guess is that the form uses a http URL to submit the form. Want to check?

@cosbgn
Copy link
Author

cosbgn commented Aug 31, 2017

Hi @Lukasa thanks for helping. How do I check that?

@cosbgn
Copy link
Author

cosbgn commented Aug 31, 2017

The page is indeed "not fully protected" but it's because of the auth.fetch_token, if I remove it the page is fully protected. Check this screenshot https://snag.gy/7y1Y6n.jpg

@Lukasa
Copy link
Member

Lukasa commented Aug 31, 2017

The problem still seems to be that the page is giving you a bad form. Look in the page source for a <form> tag that uses a HTTP (non-S) URL.

@cosbgn
Copy link
Author

cosbgn commented Aug 31, 2017 via email

@arun542
Copy link

arun542 commented May 2, 2018

This might be because of "authorization_code = request.build_absolute_uri()". Have you tried printing it. It should contain "https" not "http". If it is not generating https the replace the string. Worked for me

@saumyachoudhary31
Copy link

cred_state = caches['default'].get('xero_creds')
credentials = OAuth2Credentials(**cred_state)
auth_secret = request.get_raw_uri()
print(auth_secret)
credentials.verify(auth_secret)
credentials.set_default_tenant()
caches['mycache'].set('xero_creds', credentials.state)

@akaushik759
Copy link 

temp_var = request.build_absolute_uri()
if "http:" in temp_var:
    temp_var = "https:" + temp_var[5:]

It replaces "http:" with "https:"

@luckyCasualGuy
Copy link

Replacing http with https definitely works for me ... thanks @arun542 for the answer !!

@Stift007
Copy link

This should help

import os 
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'

@CalumJEadie CalumJEadie mentioned this issue Mar 24, 2023
Closed
@25mordad
Copy link

With the following solution, I could pass the error:

https_authorization_url = request.url.replace('http:https://', 'https://')
flow.fetch_token(authorization_response=https_authorization_url)

@NowLetsJam
Copy link

With the following solution, I could pass the error:

https_authorization_url = request.url.replace('http:https://', 'https://') flow.fetch_token(authorization_response=https_authorization_url)

it works! thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@Lukasa @25mordad @arun542 @cosbgn @akaushik759 @saumyachoudhary31 @luckyCasualGuy @Stift007 @NowLetsJam