Some users are reporting lost session after redirect within the login procedure.

the original issue as opened by @petertirrell was:

Pyramid Adapter and example

Implement an adapter for the Pyramid framework with example.

Hi,

Does authomatic have python 3 support? Currently, I am getting a ---> 21 from core import Authomatic, setup, login, provider_id, access, async_access, credentials, request_elements, backend

ImportError: No module named 'core'

I have a simple flask app that I am trying to implement login to google on. It all seems to work well until I get an error on the redirect back to my site. The app is deployed to heroku and is using the SSL certificate from heroku.

The error I receive: The redirect URI in the request: http://dev.example.com/login/g did not match a registered redirect URI.

Looks like the development stalled since July 15. @peterhudec if you need any help please tell us, there are some people out there using authomatic! Its great - but it needs some updates.

It is not able to auth with GitHub,

Hi None

Your id is: None

Your email is: None

Your JSON is: {"message":"Missing or invalid User Agent string. See http://developer.github.com/v3/#user-agent-required"}

I can only got name and ID from the facebook API call. In facebook's "LOGIN PERMISSIONS", I do see "email"; and in the config I set

'fb': {

        'class_': oauth2.Facebook,

        # Facebook is an AuthorizationProvider too.
        'consumer_key': 'MYSTUFF',
        'consumer_secret': 'MYSTUFF',

        # But it is also an OAuth 2.0 provider and it needs scope.
        'scope': ['email'],
    },

I got result.user.data to be {'name': 'Sean Lao', 'id': '55047288*******'} -- which is good, but -- no email!? - and result.user.email is None, while result.user.id, result.user.name work.

The result is obtained through here:

result = authomatic.login(WerkzeugAdapter(request, response), provider_name)

How do I get the email?

P.s. it works only for Yahoo so far. Haven't tried on Twitter or Google yet.

and btw this is result.user.to_dict():

{  
   'nickname':None,
   'provider':'fb',
   'first_name':None,
   'birth_date':'None',
   'id':'MYSTUFF',
   'location':None,
   'country':None,
   'credentials':'2%0A2-5%MYSTUFF',
   'phone':None,
   'data':{  
      'id':'MYSTUFF',
      'name':'Sean Lao'
   },
   'name':'Sean Lao',
   'locale':None,
   'city':None,
   'timezone':None,
   'last_name':None,
   'postal_code':None,
   'email':None,
   'username':None,
   'picture':'http://graph.facebook.com/THIS_ONE_WORKS/picture?type=large',
   'gender':None,
   'link':None,
   'gae_user':None
}

the 'picture':'http://graph.facebook.com/THIS_ONE_WORKS/picture?type=large', is working, though.

At some point today all of my OAuth 2.0 requests to Google started failing with a cryptic error:

[E 150414 16:23:47 __init__:333] authomatic: Google: Reported suppressed exception: FailureError('Failed to obtain OAuth 2.0 access token from https://accounts.google.com/o/oauth2/token! HTTP status: 400, message: {\n  "error" : "invalid_request",\n  "error_description" : "OAuth 2 parameters can only have a single value: client_secret"\n}.',)!

After a bunch of trial and error I figured out that if I disabled the authorization header while requesting a TOKEN from google it worked. Not sure what changed but I thought I would share it here to see if other people are having the same issue.

To monkey patch Authomatic until a formal change is figured out I just did this:

from authomatic.providers.oauth2 import Google
setattr(Google, "_x_use_authorization_header", False)

I've used Authomatic for many years, and have really appreciated all the work people have put into it, but it seems that it is not keeping up with the times. The three most popular providers don't or soon won't work out of the box:

• Google (G+ being retired)
• Facebook (need to manually update API version)
• Microsoft (very out of date and doesn't work)

I've switched one of my projects to Flask-Dance and will soon migrate another to something else.

I don't want to be too negative, but at this point, it seems best to update the official docs to suggest that people use other software for their Oauth needs.

There are a number of useful fixes in the rc0.1.1 branch, which was presumably started for the next release, but never fully completed.

I suggest merging these changes back into master for now, and then make a new release branch when we are ready to release.

This branch seems to mostly consists of test changes, but also includes a few updates to providers and small bug fixes.

We are using the Google provider and we need to redirect the user to the original referring url after login. I was thinking about encoding extra data in the state parameter but Authomatic doesn't seem to provide any API for that. Also thought about storing the referer (from the request header) in the session. Any recommendation on how to do that ?

thanks in advance Fábio

Below is an attempt to update providers/oauth2.py so that it will work with Google login after the shutdown of G+. It works currently with the email and profile scopes.

I'm not sure if it will continue to work post G+ shutdown. 🤞

-    user_info_url = 'https://www.googleapis.com/plus/v1/people/me'
+    user_info_url = 'https://www.googleapis.com/oauth2/v1/userinfo'

     @staticmethod
     def _x_user_parser(user, data):
-        emails = data.get('emails', [])
-        if emails:
-            user.email = emails[0].get('value')
-            for email in emails:
-                if email.get('type') == 'account':
-                    user.email = email.get('value')
-                    break
-
-        user.id = data.get('sub') or data.get('id')
-        user.name = data.get('displayName')
-        user.first_name = data.get('name',{}).get('givenName')
-        user.last_name = data.get('name',{}).get('familyName')
-        user.locale = data.get('language')
-        user.link = data.get('url')
-        user.picture = data.get('image',{}).get('url')
+        user.id = data.get('id')
+        user.email = data.get('email')
+        user.name = data.get('name')
+        user.first_name = data.get('given_name')
+        user.last_name = data.get('family_name')
+        user.locale = data.get('locale')
+        user.picture = data.get('picture')
         try:
             user.birth_date = datetime.datetime.strptime(data.get('birthdate'), "%Y-%m-%d")
-        except:
+        except Exception:
             user.birth_date = data.get('birthdate')
         return user

I've tested this with pas.plugins.authomatic for logging into a Plone site. By default it assumes a multi-tenant app (anyone with an MS account). For single-tenant app, the domain of the tenant should be passed as a configuration parameter (¨domain¨).

This is not an issue but it is a warning when using automatic with python 3.8+ and authomatic 1.0.0 the warning was added in python 3.8 https://docs.python.org/3.8/whatsnew/3.8.html#changes-in-python-behavior

Error

Authomatic_1_0_0/authomatic/core.py:1720: SyntaxWarning: "is" with a literal. Did you mean "=="? if ProviderClass.supports_jsonp and method is 'GET':

Can anyone post their openid config as an example? I'm having trouble matching up what I think should be in my json config for authomatic and what parameters are actually taken. (Like, where would I put "auth-server-url" in the json, for example? Also client ID secret).

Thanks!

Hi! Thanks for building and maintaining authomatic, it looks great!

I noticed that the example app https://authomatic-example.appspot.com/ is down. You might want to consider fixing it or removing its link from the README and docs, eg https://authomatic.github.io/authomatic/#live-demo.

I have a pair of sites that both use authomatic with Flask-login for google OAuth2,

https://unslumping.org/ https://fun.unslumping.org/

Each works fine if I clear all cookies in both domains before I log in. But logging in to the 2nd level domain seems to mess up logging in to the 3rd level domain. I get caught in a loop where .login() keeps returning an object with a .error either "Unable to retrieve stored state!" or "The returned state csrf cookie ... doesn't match with the stored state!"

Is there a way I can limit the scope of cookies to the root domain, and not let them be used by the subdomain?