Doing the OAuth dance with style using Flask, requests, and oauthlib.

I was able to run the github-oauth based example correctly.

I then created this gist which is the same except switching to twitter. It gives "ValueError: Cannot get OAuth token without an associated user".

Working according to the basic documentation, I'm hitting a serious problem where one user login session in one browser is propogated to another browser with no login credentials.

Here's my relevant server code:

from os import environ

from flask import Flask, redirect, url_for, render_template
from flask_sqlalchemy import SQLAlchemy
from flask_migrate import Migrate
from flask_dance.contrib.twitter import make_twitter_blueprint, twitter
from flask_dance.consumer.backend.sqla import SQLAlchemyBackend, OAuthConsumerMixin
from werkzeug.contrib.fixers import ProxyFix


app = Flask(__name__)
app.secret_key = environ.get('FLASK_SECRET_KEY')
app.wsgi_app = ProxyFix(app.wsgi_app)
app.config.from_object('config.Config')

db = SQLAlchemy(app)
migrate = Migrate(app, db)

class OAuth(OAuthConsumerMixin, db.Model):
    pass

twitter_blueprint = make_twitter_blueprint(
    api_key=app.config['TWITTER_CONSUMER_KEY'],
    api_secret=app.config['TWITTER_CONSUMER_SECRET'],
)
twitter_blueprint.backend = SQLAlchemyBackend(OAuth, db.session)
app.register_blueprint(twitter_blueprint, url_prefix='/login')


@app.route('/')
def index():
    username = None
    if twitter.authorized:
        resp = twitter.get('account/settings.json')
        username = resp.json()['screen_name']
    return render_template('index.html', username=username)

Steps:

1. Open two separate browser sessions
2. In both sessions, navigate to server:5000, homepage shows a login link {{ url_for('twitter.login') }}
3. On browser A, perform Twitter authentication dance
4. Redirect back to homepage, username is rendered correctly, inspecting the SQL database, the oauth tokens are indeed saved correctly for the user
5. On browser B refresh homepage, username is now populated with the login session from browser A

Other notes:

• Happens on all environments, both with and without flask debug mode, as well as running through gunicorn
• Backend database is a postgreSQL instance
• Flask 1.0.2, Flask-dance 1.0.0, Python 3.7
• Adding user_required=False as a param to SQLAlchemyBackend doesn't change this behavior

This is no doubt a serious potential security bug. Either the library is behaving in an unexpected way, or I'm doing something wrong, and hitting a pitfall, in which case the documentation probably should be updated to warn about this behavior.

Trying to use the Okta provider (which doesn't have an example to follow)

import os
from flask import Flask, redirect, url_for
from flask_dance.contrib.okta import make_okta_blueprint, okta
from flask_dotenv import DotEnv

app = Flask(__name__)
env = DotEnv(app)

app.secret_key = os.environ.get("FLASK_SECRET_KEY", "supersekrit")
okta_bp = make_okta_blueprint(
    client_id=app.config["OKTA_OAUTH_CLIENT_ID"],
    client_secret=app.config["OKTA_OAUTH_CLIENT_SECRET"],)
app.register_blueprint(okta_bp, url_prefix="/login")


@app.route("/")
def index():
    if not okta.authorized:
        return redirect(url_for("okta.login"))
    resp = okta.get("/user")
    assert resp.ok
    return "You are @{login} on Okta".format(login=resp.json()["login"])


if __name__ == "__main__":
    app.run(debug=True, use_reloader=True)

Gives me the following error:

builtins.AttributeError
AttributeError: 'NoneType' object has no attribute 'lower'

Traceback (most recent call last)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 2328, in __call__
return self.wsgi_app(environ, start_response)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 2314, in wsgi_app
response = self.handle_exception(e)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 1760, in handle_exception
reraise(exc_type, exc_value, tb)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\_compat.py", line 36, in reraise
raise value
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 2311, in wsgi_app
response = self.full_dispatch_request()
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 1834, in full_dispatch_request
rv = self.handle_user_exception(e)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 1737, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\_compat.py", line 36, in reraise
raise value
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 1832, in full_dispatch_request
rv = self.dispatch_request()
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask\app.py", line 1818, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "C:\work\python\okta-flask-example\env\lib\site-packages\flask_dance\consumer\oauth2.py", line 201, in login
self.authorization_url, state=self.state, **self.authorization_url_params
File "C:\work\python\okta-flask-example\env\lib\site-packages\requests_oauthlib\oauth2_session.py", line 158, in authorization_url
**kwargs), state
File "C:\work\python\okta-flask-example\env\lib\site-packages\oauthlib\oauth2\rfc6749\clients\web_application.py", line 90, in prepare_request_uri
redirect_uri=redirect_uri, scope=scope, state=state, **kwargs)
File "C:\work\python\okta-flask-example\env\lib\site-packages\oauthlib\oauth2\rfc6749\parameters.py", line 70, in prepare_grant_uri
if not is_secure_transport(uri):
File "C:\work\python\okta-flask-example\env\lib\site-packages\oauthlib\oauth2\rfc6749\utils.py", line 94, in is_secure_transport
return uri.lower().startswith('https://')
AttributeError: 'NoneType' object has no attribute 'lower'

because self.authorization_url is empty.

Any ideas?

I have been trying to use flask-dance for Twitch API via OAuth2ConsumerBlueprint. The requests seem to fail since Twitch API expects client ID in request headers.

DEBUG:requests_oauthlib.oauth2_session:Supplying headers {u'Authorization': u'Bearer XXXXXX'} and data None
DEBUG:requests_oauthlib.oauth2_session:Passing through key word arguments {'allow_redirects': True}.
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.twitch.tv
DEBUG:urllib3.connectionpool:https://api.twitch.tv:443 "GET /user HTTP/1.1" 302 154
DEBUG:urllib3.connectionpool:https://api.twitch.tv:443 "GET /kraken/base HTTP/1.1" 400 96
{u'status': 400, u'message': u'No client id specified', u'error': u'Bad Request'}

I have tried manually setting the headers and it seems to succeed (even though it leaves new questions for me). I can not see how I can set custom headers. Is it possible?

I'm calling flask-dance with make_slack_blueprint, and the URL flask-dance sends to Slack as the authorized_url is

"http://mydomain.com/login/slack/authorized"

instead of the proper

"https://mydomain.com/login/slack/authorized"

This means the call fails on my production server since I did not set the insecure HTTPS env variable there (and shouldn't)

how do I get flask dance to pass the https URL for the authorized_url? If I try to specify an absolute path as the authorized url then it gets treated as a relative path.

blueprint_slack = make_slack_blueprint(
    client_id="sdfdsg242894452",
    client_secret="53019238021358rrgdf",
    scope=["identify",  "chat:write:bot"],
    **authorized_url='https://www.mydomain.com/login/slack/authorized',**   
    redirect_url='/slack_authorized',

)

If it is meaningful:

I'm running Flask 1.0+

• with Flask-talisman 0 all URl's redirect to https:// and I have HSTS set
• with a gunicorn server, with relevant https flags set in my gunicorn config file

secure_proxy_ssl_header = ('HTTP_X_FORWARDED_PROTO', 'https') forwarded_allow_ips = '*' secure_scheme_headers = {'X-Forwarded-Proto': 'https'} x_forwarded_for_header = 'X-FORWARDED-FOR'

PS: And yes, the client_id and secret above are bogus!

Fixes #191. Slack apps can be installed from the Slack app directory, which involves doing the OAuth dance starting from slack.com instead of from the Flask app. This is the same as a cross-site request forgery attack, but it is the expected behavior.

Is there some way that we can narrow the scope of this vulnerability? Is there a reliable way to only bypass the state check for requests that were initiated by a subdomain of slack.com, for example? I don't know if Referer headers are reliable or not...

I don't really understand how I can log out, delete my cookie, then click the "Sign in with Twitter" button and it somehow knows who I am and just logs me in directly. twitter.authorized is evaluating to True, and I saw that the code I think that's being evaluating to True is:

bool(self._client.client.client_secret) and
bool(self._client.client.resource_owner_key) and
bool(self._client.client.resource_owner_secret)

How can the session still have a resource_owner_key and resource_owner_secret after I've logged out, deleted my session cookie in Chrome, and restarted the server?

Bitbucket requires HTTP Basic Authentication witch client_id and client_secret to fetch tokens. OAuth2ConsumerBlueprint has been adjusted to pass through authentication details (object or tuple as expected by requests).

A provider Bitbucket has been added.

Test for new provider has been added.

Documentation has been updated.

I hope this is all okay. I have updated the Azure provider to allow someone to define authorization_url_params to pass additional data.

Azure supports extra parameters such as prompt, login_hint and domain_hint

https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#request-an-authorization-code

Thanks very much for writing this package. Should make flask projects a lot tidier!

I'm having an issue with the Meetup blueprint, and I can't figure out what's up. I've taken the flask-dance-github project as a test (and confirmed it works fine with Github) and modified it minimally so it should work with Meetup. (Slightly different parameter names.) However I get the following error:

127.0.0.1 - - [16/Mar/2019 01:16:15] "GET /login/meetup/authorized?code=<code>&state=<state> HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 2309, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 2295, in wsgi_app
    response = self.handle_exception(e)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 1741, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/_compat.py", line 35, in reraise
    raise value
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/flask_dance/consumer/oauth2.py", line 266, in authorized
    **self.token_url_params
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/requests_oauthlib/oauth2_session.py", line 307, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 415, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 425, in parse_token_response
    validate_token_parameters(params)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 432, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/home/bob/projects/flask-dance-github/venv/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 405, in raise_from_error
    raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidClientIdError: (invalid_request) client_id and client_secret required

I am being successfully redirected to the authorize endpoint on Meetup, and I accept, then I am quickly redirected back to /meetup/login/authorized. However it seems that the client_id and client_secret are not then being sent to the access endpoint on Meetup.

Don't currently have a proxy to properly check the requests from flask. Any idea what the cause might be?

Cheers.

This resolves the issue raised in #88, where Flask-Dance should have raised an exception instead of trying to create an OAuth token without an associated user. This changes the SQLAlchemy backend to take a new optional argument: require_user. When set to True, the backend will not allow OAuth tokens to be created without an associated user. This argument is True by default when an argument is passed for user or user_id.

@NathanWailes, can you take a look at this, and let me know if the functionality is what you had in mind?

Gives the ability to change base_url, currently, it defaults to the US data center (https://api.nylas.com/) but customers in EU are unable to make requests since the EU data center is at (https://ireland.api.nylas.com)

Hello,

Thank you very much for your work on this! However, whilst trying to package this module for Debian, I seem to run into this test failure around fixtures:

I: pybuild base:239: python3-coverage run -m pytest
============================= test session starts ==============================
platform linux -- Python 3.10.6, pytest-7.1.2, pluggy-1.0.0+repack
rootdir: /<<PKGBUILDDIR>>
plugins: mock-3.8.2, betamax-0.8.1
collected 192 items

tests/test_utils.py ..                                                   [  1%]
tests/consumer/test_oauth1.py ....................                       [ 11%]
tests/consumer/test_oauth2.py ........................                   [ 23%]
tests/consumer/test_requests.py ..........                               [ 29%]
tests/consumer/storage/test_sqla.py ............                         [ 35%]
tests/contrib/test_atlassian.py ......                                   [ 38%]
tests/contrib/test_authentiq.py ....                                     [ 40%]
tests/contrib/test_azure.py .......                                      [ 44%]
tests/contrib/test_digitalocean.py .....                                 [ 46%]
tests/contrib/test_discord.py ....                                       [ 48%]
tests/contrib/test_dropbox.py ........                                   [ 53%]
tests/contrib/test_facebook.py .....                                     [ 55%]
tests/contrib/test_fitbit.py ...                                         [ 57%]
tests/contrib/test_github.py ...                                         [ 58%]
tests/contrib/test_gitlab.py ......                                      [ 61%]
tests/contrib/test_google.py .............                               [ 68%]
tests/contrib/test_heroku.py ...                                         [ 70%]
tests/contrib/test_jira.py .......                                       [ 73%]
tests/contrib/test_linkedin.py ...                                       [ 75%]
tests/contrib/test_meetup.py ....                                        [ 77%]
tests/contrib/test_nylas.py ...                                          [ 79%]
tests/contrib/test_osm.py ...                                            [ 80%]
tests/contrib/test_reddit.py ....                                        [ 82%]
tests/contrib/test_salesforce.py ........                                [ 86%]
tests/contrib/test_slack.py .........                                    [ 91%]
tests/contrib/test_spotify.py ...                                        [ 93%]
tests/contrib/test_strava.py ...                                         [ 94%]
tests/contrib/test_twitch.py ...                                         [ 96%]
tests/contrib/test_twitter.py ...                                        [ 97%]
tests/contrib/test_zoho.py ...                                           [ 99%]
tests/fixtures/test_pytest.py E                                          [100%]

==================================== ERRORS ====================================
_______________________ ERROR at setup of test_home_page _______________________
file /<<PKGBUILDDIR>>/tests/fixtures/test_pytest.py, line 44
  @pytest.mark.usefixtures("betamax_record_flask_dance")
  def test_home_page(app):
E       fixture 'betamax_record_flask_dance' not found
>       available fixtures: app, betamax_parametrized_recorder, betamax_parametrized_session, betamax_recorder, betamax_session, cache, capfd, capfdbinary, caplog, capsys, capsysbinary, class_mocker, doctest_namespace, flask_dance_sessions, mocker, module_mocker, monkeypatch, package_mocker, pytestconfig, record_property, record_testsuite_property, record_xml_attribute, recwarn, responses, session_mocker, tmp_path, tmp_path_factory, tmpdir, tmpdir_factory
>       use 'pytest --fixtures [testpath]' for help on them.

D'you have any idea how to get this working? TIA! \o/

Redirects 404 page.

@app.route('/github')
def github_login():
    if not github.authorized:
        return redirect(url_for('github.login'))

    account_info = github.get('/user')

    if account_info.ok:
        account_info_json = account_info.json()

        return '<h1>Your Github name is {}'.format(account_info_json['login'])

    return '<h1>Request failed!</h1>'

Hi,

I'm using the fitbit flask-dance contributed module. All is good, but when my token expires, then i would like to configure flask-dance and requests-oauthlib to automatically refresh the token if expired.

To do that with fitbit oauth, i use the same token url, but need to supply it with different body:

Authorization: Basic Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=abcdef01234567890abcdef01234567890abcdef01234567890abcdef0123456

The authorization header is "Basic " + base64 encoded "client_id:client_secret". the body has grant_type and includes the refresh token.

I see that requests_oauthlib does have the mechanism to automatically refresh the token, see https://github.com/requests/requests-oauthlib/blob/master/requests_oauthlib/oauth2_session.py#L405 for example.

and it does check for expired tokens.

my question is: how can i configure the flask-dance fitbit module so that it does the right thing. All i see are two parameters, fitbit_bp.auto_refresh_url and fitbit_bp.auto_refresh_kwargs (see https://github.com/singingwolfboy/flask-dance/blob/main/flask_dance/contrib/fitbit.py )

i set fitbit_bp.auto_refresh_url to the current url for refreshing the tokens, and i tried setting fitbit_bp.auto_refresh_kwargs in a few different ways, but i'm just not getting a valid response.

any help is greatly appreciated. thanks in advance...

k

But concerned in production for someone else spotted this too: https://community.auth0.com/t/non-google-users-need-to-login-twice-due-to-csrf-error/77958

https://github.com/lepture/authlib/issues/376

oauthlib.oauth2.rfc6749.errors.MismatchingStateError: (mismatching_state) CSRF Warning! State not equal in request and response.

I have redirect failing:

I was wondering if there is any way to setup response_type while using custom provider. The provider I am using only supports implicit flow hence the requirement. Thanks