How to force redirect_uri to use HTTPS with python-social-app?

Asked 14/5, 2019 at 11:46 Answered 29/3, 2022 at 15:41

django oauth-2.0 facebook-login google-signin python-social-auth

I am using django framework with python-social-app and have an error while trying to login with Facebook login button.

My app consists of three docker containers:

Django app.
Database.
NGINX + SSL cert.

Here is my error:

Authentication process canceled: URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs. Blockquote

and here is the URL that i can see while trying to login

https://www.facebook.com/v2.9/dialog/oauth?client_id=247739632734206&redirect_uri=http%3A%2F%2Fwww.DOMAN_NAME.com%2Fcomplete%2Ffacebook%2F&state=7AySpKwDWAKtiIxP75LBIPqwQNWSu36y&return_scopes=true

The problem, as i can see it, is that redirect_uri starts with HTTP and not with HTTPS.

Django==2.2
social-auth-app-django==3.1.0
social-auth-core==3.1.0

My best guess about the problem is that Django app don't "know" that it's running behind the NGINX+SSL and generates the redirect_uri with HTTP protocol instead of HTTPS.

Facebook settings has correct redirect URI that starts with HTTPS. The problem is not specific to Facebook, redirect_uri for Google has the same problem.

How can I force the python-social to to use HTTPS?

Archducal answered 14/5, 2019 at 11:46 Comment(0)

What you should be looking for is to add below line in the settings.py of your Django App.

SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

This way redirect_uri created by django social contain https.

As per the above answer what you did instead is redirected the http traffic to https which will still be an issue if you're trying to create an https only server.

Ratcliff answered 9/7, 2019 at 17:59 Comment(0)

What helped for me was adding the following two lines to settings.py. SOCIAL_AUTH_REDIRECT_IS_HTTPS = True does not work for development, and also does not add https for logout redirects. Telling Django to look at the X_FORWARDED_HOST header solves all three cases.

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

From: https://mcmap.net/q/616463/-build_absolute_uri-with-https-behind-reverse-proxy

Pavilion answered 29/3, 2022 at 15:41 Comment(0)

Here is the settings that helped me:

django settings:

# settings.py
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

nginx settings:

location / {
    # ... 
    proxy_set_header X-Forwarded-Proto $scheme;
}

source: How to deploy an HTTPS-only site, with Django/nginx?

Archducal answered 14/5, 2019 at 12:49 Comment(0)

Recommended topics

Hot tags