python-social-auth: "AuthStateMissing: Session value state missing" on logins with set session cookies
I’m working to integrate Facebook and Google OAuth2 into a site that already has working login using contrib.auth. I’m now stuck with a situation where I will receive a AuthStateMissing for both Google-Oauth2 and Facebook. The only way to successfully log in with those services is to wipe out my site cookie prior to clicking login. If I do that I can login once. Then if I try to login again I’ll receive another AuthStateMissing. I’ve checked past issues and the site is on a subdomain of a TLD, the callback urls are correct.
The traceback:
Traceback (most recent call last):
File "/home/env/tcm/lib/python3.4/site-packages/django/core/handlers/base.py", line 112, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/newrelic-2.42.0.35/newrelic/hooks/framework_django.py", line 497, in wrapper
return wrapped(*args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/django/views/decorators/cache.py", line 52, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/django/views/decorators/csrf.py", line 57, in wrapped_view
return view_func(*args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/social/apps/django_app/utils.py", line 52, in wrapper
return func(request, backend, *args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/social/apps/django_app/views.py", line 28, in complete
redirect_name=REDIRECT_FIELD_NAME, *args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/social/actions.py", line 40, in do_complete
user = backend.complete(user=user, *args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/social/backends/base.py", line 40, in complete
return self.auth_complete(*args, **kwargs)
File "/home/env/tcm/lib/python3.4/site-packages/social/backends/oauth.py", line 361, in auth_complete
state = self.validate_state()
File "/home/env/tcm/lib/python3.4/site-packages/social/backends/oauth.py", line 87, in validate_state
raise AuthStateMissing(self, 'state')
social.exceptions.AuthStateMissing: Session value state missing.
My relevant settings:
INSTALLED_APPS = {
'social.apps.django_app.default',
}
...
AUTHENTICATION_BACKENDS = (
'social.backends.facebook.FacebookOAuth2',
'social.backends.google.GoogleOAuth2',
'django.contrib.auth.backends.ModelBackend'
)
...
TEMPLATE_CONTEXT_PROCESSORS = (
'django.contrib.auth.context_processors.auth',
'django.core.context_processors.debug',
'django.core.context_processors.i18n',
'django.core.context_processors.media',
'django.core.context_processors.static',
'django.core.context_processors.tz',
'django.contrib.messages.context_processors.messages',
'social.apps.django_app.context_processors.backends',
'social.apps.django_app.context_processors.login_redirect',
)
The errors only trigger once I am sent back to my site. So it doesn’t appear to be related to either Google or Facebook.
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 39 (1 by maintainers)
Hello everyone, thanks for the awesome work you do, this library is great. Now this issue still persists, and I don’t think setting
SESSION_COOKIE_SAMESITEto None is the right approach, it feels like I’m disabling a security feature, rather than solving the problem…Another thing to try if you are seeing the
AuthStateMissingerror and you are using Django: insettings.py, addSESSION_COOKIE_SAMESITE = None.In my case, I only saw the error on Safari upon the redirect in the last leg of Oauth. The weirdest part was that I could refresh the page and the error would go away.
Upon further digging, I realized Safari wasn’t sending any cookies on the redirect, but would send cookies when I hit refresh (so the cookies were set correctly, just not being sent). I found the SESSION_COOKIE_SAMESITE setting which, by default, will strip your cookies on that redirect, and thus Django cannot find your session.
I just discovered that adding “SESSION_COOKIE_SECURE = True” can start this error happening. Obviously that’s pilot error - me telling the site not to accept session cookies unless over HTTPS but trying to use HTTP anyway. But I imagine it would be hard to diagnose if I hadn’t just changed just this one setting (in fact I came looking for a more complete answer anyway).
There was an error that made
stategetting validated on error responses from the provider that masked the real error as an state-missing problem, this got fixed by https://github.com/python-social-auth/social-core/commit/4d2903c1a26cc433731dcc103fd211a7a4716b96It happened to me that trying to access with: http://localhost/complete/oauth2test?state=vkTqtm0 works, but: http://localhost/complete/oauth2test/?state=vkTqtm0EsOj8E5oTDg5bGMabIgl172A0 did not.
Once the trailing ‘/’ (oauth2test/) was removed, the error disappeared.
If you are running both in the same host, you can set different
SESSION_COOKIE_NAMEfor each applicationWe had that kind of problem as well.
After a long investigation, we found that those errors should occur in some of the cases. When you are using Django, social_auth is saving the
statesecret inside the session object and comparing it later on to the state been received from the provider.We found out the some of our users, are sharing the already generated
urlswe providing for the social-auth (exhttps://**provider**login/?next=/accounts/o/authorize/%3Fclient_id=CLIENT_ID&redirect_uri=RETURN_URL&state=GENERAED AND SAVE STATE IN SESSION&response_type=BLA)When those users succesffully entered thier authetication details they been redirected back to our site and
AuthStateMissingexception been raised.My suggestion is to catch the
AuthStateMissingexception in a middleware (django) and verified that session object is exists as needed for the state validation check, It it do existing go and dig futher, otherwise your are wasting your time.@lisad Applied your solution still getting “AuthStateMissing: Session value state missing”. How did you solve it in production server?