Home > Software engineering >  flask OAuth State not equal in request and response
flask OAuth State not equal in request and response

Time:10-21

im trying to authenticate users via gmail OAuth on flask, sometimes users authenticate successfully, then sometimes i get the error "State not equal in request and response." please note that refreshing the callback page fixes the problem error

@auth.route('/login', methods=['POST','GET'])
def login():
    if 'google_id' in session:
        if col_users.count_documents({'google_id': session["google_id"], 'admin' : 1}) == 1:
            return redirect(url_for('adm.administration'))
        else:
            return redirect(url_for('dash.add_item'))
    authorization_url, state = flow.authorization_url()
    session['state'] = state
    session.modified = True
    return redirect(authorization_url)

@auth.route('/callback', methods=['POST','GET'])
def callback():
    flow.fetch_token(authorization_response=request.url)

    if session['state'] != request.args.get('state'):
        abort(500)
    
    credentials = flow.credentials
    request_session = requests.session()
    cached_seession = cachecontrol.CacheControl(request_session)
    token_request = google.auth.transport.requests.Request(session=cached_seession)

    id_info = id_token.verify_oauth2_token(
        id_token = credentials._id_token,
        request = token_request,
        audience = GOOGLE_CLIENT_ID
    )

    session['google_id'] = id_info['email']
    session['name'] = id_info['name']
    session.modified = True
    if col_users.count_documents({'google_id' : session['google_id'], 'admin' : 1}) == 1:
        return redirect(url_for('adm.administration'))
    else:
        return redirect(url_for('dash.add_item'))

CodePudding user response:

Most probably this is due to parallel requests coming in that each create their own authentication request towards the Provider with a different state parameter. Upon return there could be a mismatch of the state/response with the "other" request. You may want to look into avoiding those requests.

CodePudding user response:

fixed the issue by using the new updated flask-session module : flask-sessionstore

flask-sessionstore

  • Related