4

I am confused. I am using the Django configuration for python-social-auth (spcefically social-auth-app-django v1.2.0) to get Google+ backend authentication working.

I get this error:

requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://www.googleapis.com/plus/v1/people/me?access_token=XYZ123&alt=json

Social auth seems to be passing the param access_token but I don't know why since the docs say to pass to the backend the id_token. I have verified that what I'm getting is a valid id_token using this link: https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

Also, I verify that it is a NOT a valid access_token using this link: https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XYZ123

I mean, I'm doing what the python-social-apps docs and google's docs is telling me to do, and that is to pass id_token to the backend. Here's my js code:

<script src="https://apis.google.com/js/api:client.js"></script>
<script>
    var googleUser = {};
    var startApp = function() {
        gapi.load('auth2', function() {
            // Retrieve the singleton for the GoogleAuth library and set up the client.
            auth2 = gapi.auth2.init({
                client_id: '{{ google_plus_id }}',
                cookiepolicy: 'single_host_origin',
                // Request scopes in addition to 'profile' and 'email'
                scope: '{{ google_plus_scope }}',
            });
            attachSignin(document.getElementById('google-plus-button'));
        });
    };

    function attachSignin(element) {
        console.log(element.id);
        auth2.attachClickHandler(element, {},
            function(googleUser) {

                var authResponse = googleUser.getAuthResponse();
                var $form;
                var $input;

                $form = $("<form>");
                $form.attr("action", "/complete/google-plus/");
                $form.attr("method", "post");
                $input = $("<input>");
                $input.attr("name", "id_token");
                $input.attr("value", authResponse.id_token);
                console.log("ID Token: " + authResponse.id_token);
                $form.append($input);
                $(document.body).append($form);
                $form.submit();

            },
            function(error) {
                alert(JSON.stringify(error, undefined, 2));
            });
    }
</script>

<script>
    startApp();
</script>

Here's my settings:

AUTHENTICATION_BACKENDS = (
   ...
   'social_core.backends.google.GooglePlusAuth',
   ..
)
SOCIAL_AUTH_GOOGLE_PLUS_KEY = 'blahblah.apps.googleusercontent.com'
SOCIAL_AUTH_GOOGLE_PLUS_SECRET = 'shhhsecret'

SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = []

SOCIAL_AUTH_GOOGLE_PLUS_SCOPE = [
    "email",
    "profile"
]

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.user.create_user',
    # 'apps.django_social_app.pipeline.save_profile',  
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
    'social.pipeline.debug.debug', # uncomment to print debug
)

Here the full trace:

Traceback (most recent call last):
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/contrib/staticfiles/handlers.py", line 63, in __call__
    return self.application(environ, start_response)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/core/handlers/wsgi.py", line 189, in __call__
    response = self.get_response(request)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/core/handlers/base.py", line 218, in get_response
    response = self.handle_uncaught_exception(request, resolver, sys.exc_info())
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/core/handlers/base.py", line 261, in handle_uncaught_exception
    return debug.technical_500_response(request, *exc_info)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django_extensions/management/technical_response.py", line 6, in null_technical_500_response
    six.reraise(exc_type, exc_value, tb)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/six.py", line 686, in reraise
    raise value
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/core/handlers/base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_django/utils.py", line 50, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_django/views.py", line 32, in complete
    redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/actions.py", line 41, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/backends/base.py", line 39, in complete
    return self.auth_complete(*args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/utils.py", line 252, in wrapper
    return func(*args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/backends/google.py", line 144, in auth_complete
    return self.do_auth(token, response=response, *args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/utils.py", line 252, in wrapper
    return func(*args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/backends/oauth.py", line 403, in do_auth
    data = self.user_data(access_token, *args, **kwargs)
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/backends/google.py", line 59, in user_data
    'alt': 'json'
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/backends/base.py", line 227, in get_json
    return self.request(url, *args, **kwargs).json()
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/social_core/backends/base.py", line 223, in request
    response.raise_for_status()
  File "/Users/paul/.pyenv/versions/dj-viewflow/lib/python3.4/site-packages/requests/models.py", line 929, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://www.googleapis.com/plus/v1/people/me?alt=json&access_token=XYZ123

What am I doing wrong? Help. :)

Update: This seems like an open issue in the social-core repo

https://github.com/python-social-auth/social-core/issues/61

This doesn't really solve my issue because unlike the solution in that link above, I need the user data because I need to record that in my database.

Update 2: This might be the culprit since it pass passes the id_token into the access_token parameter:

https://github.com/python-social-auth/social-core/commit/3b496bacef62d12dc1439431b64ed24e252f7a9a

Paul
  • 2,409
  • 2
  • 26
  • 29

2 Answers2

2

So this is very late but I figured it out. Better late than never, right?

So basically I ended up using Google People API instead of Google+ which was what was given me problems.

I had to go to console.developers.google.com -> "My project name" -> "Enable API" -> "People API"

After creating the people api, find the "Credentials" section then set "Authorized redirect URIs" to:

http://localhost:8000/complete/google-oauth2/

for prod: https://example.com/complete/google-oauth2/

settings.py

AUTHENTICATION_BACKENDS = (
     # ...
    'social_core.backends.google.GoogleOAuth2',
     # ...
    'django.contrib.auth.backends.ModelBackend',
)

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = 'thekey' # from People API
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = 'mysecretkey' # from People API

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
    #'social_core.pipeline.debug.debug', # uncomment to print debug
)
Paul
  • 2,409
  • 2
  • 26
  • 29
0

Your update #2 is correct. The solution is to send the access_token under its own name. Instead of 

$input.attr("name", "id_token");
$input.attr("value", authResponse.id_token);

Use:

$input.attr("name", "access_token");
$input.attr("value", authResponse.access_token);

You can see in the original source that before it checks for the id_token (where the bug you linked to is), it checks for access_token.

Melissa Avery-Weir
  • 1,357
  • 2
  • 16
  • 47