im trying to authenticate users via gmail OAuth on flask, sometimes users authenticate successfully, then sometimes i get the error "State not equal in request and response." please note that refreshing the callback page fixes the problem error
@auth.route('/login', methods=['POST','GET'])
def login():
if 'google_id' in session:
if col_users.count_documents({'google_id': session["google_id"], 'admin' : 1}) == 1:
return redirect(url_for('adm.administration'))
else:
return redirect(url_for('dash.add_item'))
authorization_url, state = flow.authorization_url()
session['state'] = state
session.modified = True
return redirect(authorization_url)
@auth.route('/callback', methods=['POST','GET'])
def callback():
flow.fetch_token(authorization_response=request.url)
if session['state'] != request.args.get('state'):
abort(500)
credentials = flow.credentials
request_session = requests.session()
cached_seession = cachecontrol.CacheControl(request_session)
token_request = google.auth.transport.requests.Request(session=cached_seession)
id_info = id_token.verify_oauth2_token(
id_token = credentials._id_token,
request = token_request,
audience = GOOGLE_CLIENT_ID
)
session['google_id'] = id_info['email']
session['name'] = id_info['name']
session.modified = True
if col_users.count_documents({'google_id' : session['google_id'], 'admin' : 1}) == 1:
return redirect(url_for('adm.administration'))
else:
return redirect(url_for('dash.add_item'))
CodePudding user response:
Most probably this is due to parallel requests coming in that each create their own authentication request towards the Provider with a different state parameter. Upon return there could be a mismatch of the state/response with the "other" request. You may want to look into avoiding those requests.
CodePudding user response:
fixed the issue by using the new updated flask-session module : flask-sessionstore