Login/Register
Getting "AuthStateMissing ... Session value state missing." when going to callback URI when using AtlassianOAuth2 with Django
Asked Answered
djangooauthdjango-authenticationjira-rest-apipython-social-auth
M

1

6

I was trying to setup oauth2 authentication in a Django app. Here's my settings:

*other parts ommited*
# AUTH STUFF

AUTHENTICATION_BACKENDS = (
    'social_core.backends.atlassian.AtlassianOAuth2',
    'django.contrib.auth.backends.ModelBackend',
)

SOCIAL_AUTH_ATLASSIAN_KEY = ' *my atlassian key here* '
SOCIAL_AUTH_ATLASSIAN_KEY_SECRET = ' *my atlassian secret key here* '
LOGIN_URL = '/auth/login/atlassian-oauth2'
LOGIN_REDIRECT_URL = '/'
LOGOUT_REDIRECT_URL = '/'
SOCIAL_AUTH_URL_NAMESPACE = 'social'

SESSION_COOKIE_SECURE = False
# i had to do that^, based on what i have read from
# https://mcmap.net/q/1468767/-session-value-missing-after-redirect-with-django-python-social-auth
# but it still doesn't work, sadly...

And then here's my view for the login page:

def index(request):
    session_id = request.session.session_key
    session_id = hashlib.sha256(str(session_id).encode('utf-8')).hexdigest()
    auth_url = 'https://auth.atlassian.com/authorize?audience=api.atlassian.com&client_id=*my_client_id_here*&scope=read%3Ajira-user%20read%3Ajira-work%20manage%3Ajira-project&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcomplete%2Fatlassian%2F&state=$'+ session_id +'&response_type=code&prompt=consent'
    print(auth_url)
    context = {
        'message': 'You are now authenticated'
        if request.user.is_authenticated else 'You are not authenticated',
        'auth_url': auth_url
    }
    return render(request, 'core/home.html', context)

to explain the stuff below --

the url that I used for Authorization grant before was just:
<a href="{% url "social:begin" "* name of backend here *" %}">
which is from the docs https://python-social-auth-docs.readthedocs.io/en/latest/configuration/django.html.
It worked for facebook and google for me - but not with atlassian. So I checked the guide for the atlassian oauth2 (https://developer.atlassian.com/cloud/jira/platform/oauth-2-authorization-code-grants-3lo-for-apps/) and it said that I had to use the Jira Platform Rest API Authorization URL. So it worked for me. I was able to access the page where it asked for authorization from an Atlassian user.

When I click accept, Django Gives me an error that says "AuthStateMissing at /complete/atlassian/". The traceback shows that it raise AuthStateMissing(self, 'state'). I read from the Atlassian Guide that I had to have a state that is "a value that is associated with the user you are directing to the authorization URL, e.g., a hash of the user’s session ID", so I took the hash of the cookie of a user, then placed it to the auth_url -- but it still doesn't work.

Here's the request information: request information after the callback URI is followed

Here's the message from the terminal: 

[15/May/2019 02:36:13] "GET /home/ HTTP/1.1" 200 1008
Internal Server Error: /complete/atlassian/
Traceback (most recent call last):
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_core/actions.py", line 43, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_core/utils.py", line 259, in wrapper
    return func(*args, **kwargs)
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_core/backends/oauth.py", line 388, in auth_complete
    state = self.validate_state()
  File "/home/vasiliy/.virtualenvs/dj_atlassian/lib/python3.7/site-packages/social_core/backends/oauth.py", line 90, in validate_state
    raise AuthStateMissing(self, 'state')
social_core.exceptions.AuthStateMissing: Session value state missing.

really hope you guys could help. thanks

Middleman answered 15/5, 2019 at 2:57 Comment(2)
Did you ever figure this out?Addendum
github.com/python-social-auth/social-core/issues/250Camphor
P
1

in my settings.py file.

SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

My production server uses nginx to redirect HTTP to HTTPS, and this was the cause for the session state to go missing. Good luck-- hope this helps!

Phantasmagoria answered 11/5, 2020 at 15:27 Comment(2)
This is not working any morePrenomen
this does not work for me, i am experiencing the issue with github and google oauth, strangely they work fine in postman, but fail when calling the endpoint from a react frontend codeManyplies

© 2022 - 2024 — McMap. All rights reserved.