How to get clean urls?

Question

from flask import Flask, redirect, url_for, session, request, jsonify
from flask_oauthlib.client import OAuth


app = Flask(__name__)
app.config['GOOGLE_ID'] = "12"
app.config['GOOGLE_SECRET'] = "A"BC
app.debug = True
app.secret_key = 'development'
oauth = OAuth(app)

google = oauth.remote_app(
    'google',
    consumer_key=app.config.get('GOOGLE_ID'),
    consumer_secret=app.config.get('GOOGLE_SECRET'),
    request_token_params={
        'scope': 'email'
    },
    base_url='https://www.googleapis.com/oauth2/v1/',
    request_token_url=None,
    access_token_method='POST',
    access_token_url='https://accounts.google.com/o/oauth2/token',
    authorize_url='https://accounts.google.com/o/oauth2/auth',
)

@app.route('/')
def index():
    if 'google_token' in session:
        me = google.get('userinfo')
        return jsonify({"data": me.data})
    return redirect(url_for('login'))


@app.route('/login')
def login():
    return google.authorize(callback=url_for('authorized', _external=True))


@app.route('/logout')
def logout():
    session.pop('google_token', None)
    return redirect(url_for('index'))


@app.route('/login/authorized')
def authorized():
    resp = google.authorized_response()
    if resp is None:
        return 'Access denied: reason=%s error=%s' % (
            request.args['error_reason'],
            request.args['error_description']
        )
    session['google_token'] = (resp['access_token'], '')
    me = google.get('userinfo')
    return jsonify({"data": me.data})


@google.tokengetter
def get_google_oauth_token():
    return session.get('google_token')

Here when i am logging via google, my URL changes to something like this:

http://localhost:5000/login/authorized?code=4/U89v8kn76_zspiZUuZwdv01KuifACegxtt7NWBQLF3w#

What I want is what I gave in the URL

http://localhost:5000/login/authorized

What should I do?

Answer 1

This sounds like expected behavior for the callback portion of the auth process.

What you want to do is redirect the user to the main route at the end of the authorized() function. that function more or less "belongs" to the OAuth process (is a good way to think about it). you just determine if the process was successful and then redirect the user where they need to go.

i like to use Message Flashing to communicate with the user during this process.

example:

@app.route('/')
def index():
    if 'google_token' not in session:
        flash("Please log in to see this page")
        return redirect(url_for('login'))
    me = google.get('userinfo')
    return render_template("index.html", user=me)

@app.route('/login/authorized')
def authorized():
    resp = google.authorized_response()
    if resp is None:
        flash("Access denied: reason={0} error={1}".format(
            request.args['error_reason'],
            request.args['error_description']
        ))
        return redirect(url_for("login"))
    session['google_token'] = (resp['access_token'], '')
    flash("Successful login!")  # superfluous, just for example
    return redirect(url_for("index"))

and you should see here that the session key is present (e.g. the cyrptocookie)... also obviously you should set secret key with os.urandom(24) per the docs