Google OAuth not working on production server using social-auth-app-django, works fine on localhost

  Kiến thức lập trình

I’ve been working on a small project that uses Google OAuth, and it worked perfectly until i had to put it on production. The errors only happen in production and doesnt seem to be related with incorrect URIs because i double checked all of them but i might be wrong

I’m hosting the front-end of my project on GitHub Pages, and the back-end (this Django API) on Heroku. When hosting both on localhost i can log-in normally, but when trying to do it on production, i get the following error:

{non_field_errors: ["Session value state missing."]}

For the looks of it, maybe i was not properly sending the state, but I’m sending it and this print shows it on the same payload being sent
code and state are being sent on the payload

The big difference I noticed between the local payload and the production one are some headers, here are the differences between them:
enter image description here

Main difference was the Cookies (i hid the tokens) missing on the left one (production) but i could not find any way to send those Cookies on the header, neither the reason of why they aren’t being sent to the production API, only the local one

After not having any sucess, i tried the desperate measure of overriding the default GoogleOAuth2 class to get rid of the state error by doing this:

class GoogleOAuth2(google.GoogleOAuth2):
    STATE_PARAMETER = False

And putting this on settings:

AUTHENTICATION_BACKENDS = (
    'ballersAPI.autenticacao.models.GoogleOAuth2',
    'django.contrib.auth.backends.ModelBackend'
)

But still, i got the following response from backend:

{non_field_errors: ["Authentication process canceled"]}

Now i’m completely out of ideas, i also tried changing the following settings but neither adding or removing them helped in any form

DEBUG = False
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_HEADERS = ["Authorization", "Content-Type", "Accept", "Cookie"]
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

Those are my auth related relevant settings.py lines if you guys need them to investigate the problem:

DJOSER = {
    'LOGIN_FIELD': 'email',
    'SOCIAL_AUTH_TOKEN_STRATEGY': 'ballersAPI.strategy.TokenStrategy',
    'SOCIAL_AUTH_ALLOWED_REDIRECT_URIS': ['http://localhost:3000',
                                          'http://127.0.0.1:3000',
                                          'https://zimmerr.github.io/ballers-frontend/'],
}


AUTHENTICATION_BACKENDS = (
    'social_core.backends.google.GoogleOAuth2',
    'django.contrib.auth.backends.ModelBackend'
)

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = config('GOOGLE_CLIENT_ID')
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = config('GOOGLE_CLIENT_SECRET')
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
    'https://www.googleapis.com/auth/userinfo.email',
    'https://www.googleapis.com/auth/userinfo.profile',
    'openid'
]
SOCIAL_AUTH_GOOGLE_OAUTH2_EXTRA_DATA = ['first_name', 'last_name']
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

LEAVE A COMMENT