Restore Auth0 access token authorization after update (Python Flask) on local

Question

I am looking to restore local/dev Auth0 functionality to a Flask app that I recently updated from Python 2.7 to Python 3 (v 3.8.6). The Auth0 authorize_access_token is now failing on my local development server, but still works on the deployed staging site. I have not made any changes this code or to Auth0 my settings.

Error Message:

  File "/Users/h/.local/share/virtualenvs/stf-hashhere/lib/python3.8/site-packages/authlib/integrations/base_client/base_app.py", line 126, in _retrieve_oauth2_access_token_params
    raise MismatchingStateError()
authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

Code:

def create_app(test_config=None):
# Factory to create and configure the app
app = Flask(
    __name__,
    static_folder='../www/static',
    static_url_path='/static',
    template_folder='../www/static/dist',
    instance_relative_config=True,
)

oauth = OAuth(app) 
app.secret_key = app.config['SESSION_KEY']
auth0_base = 'https://{}'.format(app.config['AUTH0_API_AUDIENCE'])
auth0 = oauth.register(
    'auth0',
    client_id=app.config['AUTH0_CLIENT_ID'],
    client_secret=app.config['AUTH0_CLIENT_SECRET'],
    api_base_url=auth0_base,
    access_token_url='{}/oauth/token'.format(auth0_base),
    authorize_url='{}/authorize'.format(auth0_base),
    client_kwargs={
        'scope': 'openid profile email',
    },
)

@app.route('/earlybird')
def login():
    return auth0.authorize_redirect(redirect_uri=app.config['AUTH0_CALLBACK_URL'])

@app.route('/auth/callback')
def callback_handling():
    auth0.authorize_access_token()
    return redirect('/profile')


{'framework': <authlib.integrations.flask_client.integration.FlaskIntegration object at 0x110be03a0>, 'name': 'auth0', 'client_id': '<client>', 'client_secret': 'secret', 'request_token_url': None, 'request_token_params': None, 'access_token_url': 'https://smalltradeflora.auth0.com/oauth/token', 'access_token_params': None, 'authorize_url': 'https://smalltradeflora.auth0.com/authorize', 'authorize_params': None, 'api_base_url': 'https://smalltradeflora.auth0.com', 'client_kwargs': {'scope': 'openid profile email'}, 'compliance_fix': None, 'client_auth_methods': None, '_fetch_token': None, '_update_token': None, '_user_agent': 'Authlib/0.15.2 (+https://authlib.org/)', '_server_metadata_url': None, 'server_metadata': {'refresh_token_url': None, 'refresh_token_params': None}, '_fetch_request_token': None, '_save_request_token': None}

• http://flora.loc:5000/auth/callbackis my Allowed Callback URL as well as my app.config['AUTH0_CALLBACK_URL']

I have tried:

• Verifying config variables
• Adding a SESSION_NAME then app.config.SESSION_COOKIE_NAME to try to per this SO thread
• using url_for('callback_handling', _external=True) to ensure alignment w/ the callback
• Verifying that the AUTHO params do not need to be typed as bytes (the u'' transition is the only top level visible change from 2.7 in these lines of code)
• Running from http://127.0.0.1:5000 (same port)

I've noticed that @lepture also notes in this thread

In Authlib 0.9 the session key for state has changed.

But I don't yet understand how, or if, this applies to my needed code adjustments.

Answer 1

I ended up re-writing my app factory completely, building iteratively from the downloaded Oauth for Python Web App sample. The 2 main differences between the working and non-working versions of the code are:

• Using localhost:5000 as my localhost address. My mapped flora.loc base will not work. Notes:
  • I am still not sure why mapped hostnames do not function here (logging the referring url showed flora.loc as expected but there must be something about the resolution I haven't yet caught)
  • as always, ensure that your expected address is also listed in your auth0 app dashboard.
• The audience parameter now needs a pre-pended https:// to resolve successfully