2

I am trying to test OAuth2 authentication using Django 1.11.4 and Django OAuth Toolkit. After following the tutorial (like, literally verbatim) the consumer application on heroku refuses to exchange the code generated in order to grant me an authentication token with a non-specific error.

After much fiddling, I found out that even on DEBUG configuration the OAuth framework would through an insecure transport protocol exception (as it was through local Django server which uses http not https). Thus I ported the web application to an apache instance which was SSL enabled but still the consumer app throws me an unspecified error.

Please do note that I am following verbatim the tutorial outlined here and the heroku application when I have my secret key and everything setup as shown in the docs. Although the authorization link (and database entry) is generated when I go back to exchange the code for a token things fail, with a non-specific error. The result looks like this (the full server address is omitted due to obvious reasons).

enter image description here

Any idea on what might be wrong?

jtimz
  • 324
  • 3
  • 14

1 Answers1

0

I have a similar error when using http for localhost, and I suspect that it is the same issue. I am using Chrome, and in the Network tab I can see that the POST to /o/token throws a CORS error. Looking into the JavaScript Console

Access to XMLHttpRequest at 'http://localhost:8000/o/token/' from origin 'http://django-oauth-toolkit.herokuapp.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.
POST http://localhost:8000/o/token/ net::ERR_FAILED

This is a Chrome security setting:

Block insecure private network requests.

Prevents non-secure contexts from making subresource requests to more-private IP addresses. See also: https://developer.chrome.com/blog/private-network-access-update/

This blocks http sites from accessing localhost. To remove that block (for testing purposes), open a browser tab with chrome://flags/#block-insecure-private-network-requests and disable the flag.

Interestingly enough the Heroku app supports https, which would solve the issue, but it incorrectly hardcodes the redirect url to http: http://django-oauth-toolkit.herokuapp.com/consumer/exchange/

MarcFasel
  • 1,080
  • 10
  • 19