django - Pythons Social Auth for Spotify: redirect is missing 'state' parameter -
i implementing python social auth in django app needs access user's spotify account. initial step in auth flow works: request sent spotify's '/authorize' endpoint , user presented modal explaining scopes of access app authorized. but, when app's redirect uri requested ('/completed/spotify/') exception raised:
authmissingparameter @ /complete/spotify/ missing needed parameter state request method: request url: http://127.0.0.1:8000/complete/spotify/ django version: 1.8.2 exception type: authmissingparameter exception value: missing needed parameter state exception location: /users/brandon/envs/group_playlist_generator/lib/python2.7/site-packages/social/backends/oauth.py in validate_state, line 86 python executable: /users/brandon/envs/group_playlist_generator/bin/python python version: 2.7.9 python path: ['/users/brandon/dev/group_playlist_generator', '/users/brandon/envs/group_playlist_generator/lib/python27.zip', '/users/brandon/envs/group_playlist_generator/lib/python2.7', '/users/brandon/envs/group_playlist_generator/lib/python2.7/plat-darwin', '/users/brandon/envs/group_playlist_generator/lib/python2.7/plat-mac', '/users/brandon/envs/group_playlist_generator/lib/python2.7/plat-mac/lib-scriptpackages', '/users/brandon/envs/group_playlist_generator/lib/python2.7/lib-tk', '/users/brandon/envs/group_playlist_generator/lib/python2.7/lib-old', '/users/brandon/envs/group_playlist_generator/lib/python2.7/lib-dynload', '/usr/local/cellar/python/2.7.9/frameworks/python.framework/versions/2.7/lib/python2.7', '/usr/local/cellar/python/2.7.9/frameworks/python.framework/versions/2.7/lib/python2.7/plat-darwin', '/usr/local/cellar/python/2.7.9/frameworks/python.framework/versions/2.7/lib/python2.7/lib-tk', '/usr/local/cellar/python/2.7.9/frameworks/python.framework/versions/2.7/lib/python2.7/plat-mac', '/usr/local/cellar/python/2.7.9/frameworks/python.framework/versions/2.7/lib/python2.7/plat-mac/lib-scriptpackages', '/users/brandon/envs/group_playlist_generator/lib/python2.7/site-packages'] this question may function of experience auth in general in context of django. i've read through relevant parts of psa's source code not understand how 'state' parameter gets passed around between spotify , app. see param added original request spotify not sure how ensure gets passed redirect uri and/or if there other considerations regarding 'state' such storing somewhere. advice welcome.
i've read through relevant parts of psa's source code not understand how 'state' parameter gets passed around between spotify , app.
when using authorization code flow or implicit grant flow in oauth 2.0, optional state value can appended authorize url. if state sent api provider, it's appended in response application making request part of redirect. purpose of state prevent cross site request forgery (csrf) attacks.
from spotify's authorization guide authorization code flow:

as can see in image, state sent spotify's accounts service in #1, , passed application in #3. @ point, application double-checks state has same value sent during #1. if isn't same value, has tried access application's redirect uri directly instead of being redirected spotify's accounts service.
i see param added original request spotify not sure how ensure gets passed redirect uri
given you're on version 0.2.10 of python social auth, state parameter read here, , exception raised here, looks state parameter never passed application. reason wouldn't passed state never sent spotify's accounts service. please debug , double check state part of response query parameters, , it's part of request query parameters. if request has state, there should state set in response well. if python social auth allows opt-out of using state, i'd try @ least trouble-shooting.
Comments
Post a Comment