requests-oauthlib
requests-oauthlib copied to clipboard
requests
(insecure_transport) OAuth 2 MUST utilize https.
My site is fully SSL secured. Yet when I try to exchange the code I get this:
(insecure_transport) OAuth 2 MUST utilize https..
Chrome shows me the following message:
The page includes a form with a non-secure "action" attribute.
Yet I can't really figure out what the problem is. I double checked and the only requests I made are to the Google Apis which are fully secured.
My function looks like this:
def exchange_code(request): #/setup
oauth = get_oauth()
authorization_code = request.build_absolute_uri()
try:
token = oauth.fetch_token(
'https://accounts.google.com/o/oauth2/token',
authorization_response=authorization_code,
client_secret=settings.GOOGLE_OAUTH2_CLIENT_SECRET)
except MissingCodeError as error:
return error_page(request, error)
What can be the problem?
I've removed everything from the function which could lead to the problem and squeezed all in one, I even hardcoded the URL like this:
def exchange_code(request): #/setup
scope = settings.GOOGLE_SCOPE
client_id = settings.GOOGLE_OAUTH2_CLIENT_ID
redirect_uri = 'https://analytic.localtunnel.me/setup'
oauth = OAuth2Session(client_id, redirect_uri = redirect_uri, scope = scope)
authorization_code = request.build_absolute_uri()
try:
token = oauth.fetch_token(
'https://accounts.google.com/o/oauth2/token',
authorization_response=authorization_code,
client_secret=settings.GOOGLE_OAUTH2_CLIENT_SECRET)
return HttpResponse(token)
except Exception as error:
return HttpResponse(error)
The issue is not cause by localtunnel because it happens also in my dev server.
I arrived at the conclusion that this:
token = oauth.fetch_token(
'https://accounts.google.com/o/oauth2/token',
authorization_response=authorization_code,
client_secret=settings.GOOGLE_OAUTH2_CLIENT_SECRET)
Causes chrome to say that The page includes a form with a non-secure "action" attribute.. However I still don't know how to fix it. Any ideas?
My guess is that the form uses a http URL to submit the form. Want to check?
The page is indeed "not fully protected" but it's because of the auth.fetch_token, if I remove it the page is fully protected. Check this screenshot https://snag.gy/7y1Y6n.jpg
The problem still seems to be that the page is giving you a bad form. Look in the page source for a <form> tag that uses a HTTP (non-S) URL.
But the problem is that is not even a webpage. It has no html. It's just a django view which receives the code exchange it for a tokes saves it and then redirects the user to an actual page.
On Aug 31, 2017 16:53, "Cory Benfield" [email protected] wrote:
The problem still seems to be that the page is giving you a bad form. Look in the page source for a
This might be because of "authorization_code = request.build_absolute_uri()". Have you tried printing it. It should contain "https" not "http". If it is not generating https the replace the string. Worked for me
cred_state = caches['default'].get('xero_creds') credentials = OAuth2Credentials(**cred_state) auth_secret = request.get_raw_uri() print(auth_secret) credentials.verify(auth_secret) credentials.set_default_tenant() caches['mycache'].set('xero_creds', credentials.state)
temp_var = request.build_absolute_uri()
if "http:" in temp_var:
temp_var = "https:" + temp_var[5:]
It replaces "http:" with "https:"
Replacing http with https definitely works for me ... thanks @arun542 for the answer !!
This should help
import os
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'
With the following solution, I could pass the error:
https_authorization_url = request.url.replace('http://', 'https://') flow.fetch_token(authorization_response=https_authorization_url)
With the following solution, I could pass the error:
https_authorization_url = request.url.replace('http://', 'https://') flow.fetch_token(authorization_response=https_authorization_url)
it works! thanks!
