Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using version 1.3.0 to set up django 1.6.10 oauth2 client -- getting 403 when using token to access protected WP resource #416

Open
nojyarg opened this issue Jul 18, 2020 · 0 comments
Open

using version 1.3.0 to set up django 1.6.10 oauth2 client -- getting 403 when using token to access protected WP resource #416

nojyarg opened this issue Jul 18, 2020 · 0 comments

Comments

@nojyarg
Copy link

nojyarg commented Jul 18, 2020

I'm working on a legacy app for a client, i'm having a weird issue in django 1.6.10 at the very end of the oauth2 conversation using requests-oauthlib 1.3.0. The Django app is the oauth2 client and Wordpress is the ID provider (i'm using the Wordpress OAuth Server plugin). Basically, i can exchange the auth code for an access token just fine, but when i try to then retrieve a protected resource from Wordpress (/oauth/me) using that access token, i get a 403 forbidden error in django. HOWEVER, when i take that same access token to Postman and issue a POST request to /oauth/me with Authorization=Bearer , i get the protected user info back from WP just fine. Maybe it's something to do with the headers, or maybe the client scope (which is 'basic'), or something to do with how i am requesting the token? I'm stepping thru the OAuth2Session class from requests-oauthlib to see what might be going haywire. Someone having experience with this lib will maybe know already what is happening? Thanks in advance! Code is below.

def oauth_init(request):
    wordpress = OAuth2Session(WORDPRESS_CLIENT_ID, redirect_uri=WORDPRESS_REDIRECT_URI)
    authorization_url, state = wordpress.authorization_url(WORDPRESS_AUTHORIZE_ENDPOINT)
    request.session['oauth_state'] = state
    return redirect(authorization_url)

def oauth_authorize(request):
    wordpress = OAuth2Session(WORDPRESS_CLIENT_ID,
                              state=request.session['oauth_state'],
                              redirect_uri=WORDPRESS_REDIRECT_URI,
                              scope="basic")

    token = wordpress.fetch_token(token_url=WORDPRESS_ACCESSTOKEN_ENDPOINT,
                                  include_client_id=True,
                                  client_secret=WORDPRESS_CLIENT_SECRET,
                                  code=request.GET["code"],
                                  headers={"User-Agent": "None"})

    request.session['oauth_token'] = token
    return redirect("/wp_profile")

def wp_profile(request):
    wordpress = OAuth2Session(WORDPRESS_CLIENT_ID,
                           token=request.session['oauth_token'])
    user = wordpress.get('https://imsestage.wpengine.com/oauth/me') # <-- this is failing with 403
    return json.dumps({user})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nojyarg