OAuth2 Bug report

aldoblack · August 24, 2017, 8:12pm

There is a bug on OAuth.
When I try to pass ‘+’ between scopes it returns this error:
{"message":"InvalidScopeError(u'(invalid_scope) <oauthlib.Request url=\"http://[URL]/api/method/frappe.integrations.oauth2.authorize?client_id=19ee6f84cb&scope=all%2Bopenid&response_type=code&redirect_uri=http:%2F%2F127.0.0.1:8000\", http_method=\"GET\", headers=\"{u\\'X-Use-X-Accel-Redirect\\': u\\'True\\', u\\'Accept-Language\\': u\\'en-US,en;q=0.8,sq;q=0.6\\', u\\'X-Frappe-Site-Name\\': u\\'energychoice\\', u\\'X-Forwarded-For\\': u\\'[REMOVED]\\', u\\'Connection\\': u\\'close\\', u\\'Accept\\': u\\'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\\', u\\'User-Agent\\': u\\'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36\\', u\\'Host\\': u\\'[URL]\\', u\\'X-Forwarded-Proto\\': u\\'http\\', u\\'Cookie\\': u\\'io=tDwMskYM-3LkmAaIAAB9; user_image=\"https%3A//secure.gravatar.com/avatar/7b7bc2512ee1fedcd76bdc68926d4f7b%3Fd%3Dretro\"; user_id=Administrator; system_user=yes; full_name=Administrator; sid=f8eea22aa9ca8deb2763aea0391419decb0ccfe1a7f4cf81fe3ee071\\', u\\'Upgrade-Insecure-Requests\\': u\\'1\\', u\\'Accept-Encoding\\': u\\'gzip, deflate\\'}\", body=\"\">',)"}

This is the URL:
http://[URL]/api/method/frappe.integrations.oauth2.authorize?client_id=19ee6f84cb&scope=all+openid&response_type=code&redirect_uri=http://127.0.0.1:8000

So if I replace, + with space (eg. scope=all openid), it works.

The thing is I am using rauth library and it generates the url with ‘+’ .

NOTE: I replace the domain and ip with [URL] and [REMOVED] for security purposes.

I have open issues on GitHub
https://github.com/frappe/frappe/issues/4001
https://github.com/frappe/erpnext/issues/10549

revant_one · August 25, 2017, 2:04am

I’ve used rauth in the example I shared, it has scope without space.


In [4]: params = {'scope': 'openid all', 'response_type': 'code', 'redirect_uri': redirect_uri}

revant_one · August 25, 2017, 2:08am

Somehow at my end
Postman, rauth and ScribeJava are working as expected

revant_one · August 25, 2017, 4:09am

Are you trying to redirect to authorize url through python code?

Open that url using a browser.
If there’s existing session in the browser it’ll redirect to redirect URI with code

If there’s no session, login and allow then it’ll redirect to redirect URI with code

The authorize url is where user has to click voluntarily. Generally a button saying “login with Frappe”

aldoblack · August 25, 2017, 12:01pm

@revant_one This is the python code that I have.

def index(request):
from rauth import OAuth2Service

frappe_oauth_server = OAuth2Service(client_id="19ee6f84cb",
                                    client_secret=None,
                                    name="test",
                                    authorize_url="http://192.168.2.33/api/method/frappe.integrations.oauth2.authorize",
                                    access_token_url="http://192.168.2.33/api/method/frappe.integrations.oauth2.get_token",
                                    base_url="http://192.168.2.33/api/resource/")
redirect_uri = 'http://127.0.0.1:8000'
params = {'scope': 'openid all', 'response_type': 'code', 'redirect_uri': redirect_uri}

url = frappe_oauth_server.get_authorize_url(**params)

code = request.GET.get('code')

data = {'code': code, 'grant_type': 'authorization_code', 'redirect_uri': redirect_uri}
session = frappe_oauth_server.get_auth_session(data=data, decoder=json.loads)

date_dict = {'url': url, 'id': code}

return render(request, 'DjangoTest/index.html', context=date_dict)

This is the error:
Environment:

Request Method: GET
Request URL: http://127.0.0.1:8000/?code=j5tSHyIj9oCctVRwPOCJijKTTvvnnM

Django Version: 1.11.3
Python Version: 3.6.1
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'DjangoTest.apps.DjangotestConfig']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']



Traceback:

File "/usr/local/Cellar/python3/3.6.1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/json/decoder.py" in raw_decode
  355.             obj, end = self.scan_once(s, idx)

During handling of the above exception (0), another exception occurred:

File "/Users/aldoec/.virtualenvs/DjangoTest/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/Users/aldoec/.virtualenvs/DjangoTest/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/Users/aldoec/.virtualenvs/DjangoTest/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/Users/aldoec/PycharmProjects/DjangoT/DjangoTest/views.py" in index
  33.     session = frappe_oauth_server.get_auth_session(data=data, decoder=new_decoder)

File "/Users/aldoec/.virtualenvs/DjangoTest/lib/python3.6/site-packages/rauth/service.py" in get_auth_session
  556.         session = self.get_session(self.get_access_token(method, **kwargs))

File "/Users/aldoec/.virtualenvs/DjangoTest/lib/python3.6/site-packages/rauth/service.py" in get_access_token
  542.         access_token, = process_token_request(r, decoder, key)

File "/Users/aldoec/.virtualenvs/DjangoTest/lib/python3.6/site-packages/rauth/service.py" in process_token_request
  20.         data = decoder(r.content)

File "/Users/aldoec/PycharmProjects/DjangoT/DjangoTest/views.py" in new_decoder
  13.     return json.loads(payload.decode('utf-8'))

File "/usr/local/Cellar/python3/3.6.1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/json/__init__.py" in loads
  354.         return _default_decoder.decode(s)

File "/usr/local/Cellar/python3/3.6.1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/json/decoder.py" in decode
  339.         obj, end = self.raw_decode(s, idx=_w(s, 0).end())

File "/usr/local/Cellar/python3/3.6.1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/json/decoder.py" in raw_decode
  357.             raise JSONDecodeError("Expecting value", s, err.value) from None

Exception Type: JSONDecodeError at /
Exception Value: Expecting value: line 1 column 1 (char 0)

aldoblack · August 25, 2017, 12:19pm

@revant_one
UPDATE: Fixed the Error. I was logged in as Administrator. No one mentioned it the I must not be logged in as Administrator . It will be better if you mention and update it here on guidelines ( https://frappe.io/docs/user/en/guides/integration/using_oauth ).
This is the response I get.

{
“token_type”: “Bearer”,
“id_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6Imp3dCJ9.eyJpc3MiOiJodHRwOi8vMTY1LjIyNy43MC41OCIsImF0X2hhc2giOiJnek9Da1BpMm9xck5OaGhCc24xcmN3IiwiYXVkIjoiMTllZTZmODRjYiIsImV4cCI6MTUwMzY1MjU3Mywic3ViIjoiODE2YTgwMmVkMTVhMDJhNGVlNWZiNjI3YWY4MzM5YTllNGM2MzMzIn0.Ar4AeBprtD0YCPl-LtW1YQhPXEZ5Z2lJ5L4y8Ncs0Cs”,
“access_token”: “hBSGYISFPmqHOLgcNUtdYYKZP9jUjN”,
“scope”: “all openid”,
“expires_in”: 3600,
“refresh_token”: “SFUG96D53ubZ0YhnKSa9DZWjhIF6ai”
}