Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reddit OAuth2 401 Client Error Unauthorized #440

Closed
mbmccoy opened this issue Nov 15, 2014 · 4 comments
Closed

Reddit OAuth2 401 Client Error Unauthorized #440

mbmccoy opened this issue Nov 15, 2014 · 4 comments

Comments

@mbmccoy
Copy link

mbmccoy commented Nov 15, 2014

Ran into a 401 issue today when using psa for Reddit with python3. The bug arises from unicode/byte problems (surprise! It's python3).

Basically, the RedditOAuth2 backend authentication header is malformed because

' {} '.format(b'byte_string') == " b'byte_string' "

Note the extra enclosing " ". I hacked around the problem by replacing the following in reddit.py:

class RedditOAuth2(BaseOAuth2):
    (...)
    def auth_headers(self):
        # Reddit uses HTTPBasic authentication; throw into header
        auth_header = b'Basic ' + base64.urlsafe_b64encode(
            '{0}:{1}'.format(*self.get_key_and_secret()).encode()
        )
        return {'Authorization': auth_header, }

Of course, this won't work if the key and/or secret are byte strings.

On a philosophical level, it seems to me that the "right" way to solve this problem is to require that all URIs, application keys, client secrets, etc. be binary strings (since, if I understand correctly, that's what they really are).

But don't try this right now or you'll run into a world of hurt. For example, you'll get this problem in the StripeOAuth2 backend if a developer encodes the client secret as a byte string.

-Mike
@omab
Copy link
Owner

omab commented Apr 13, 2015

Closing, too old, and not a problem at the moment. Reopen if needed.

@omab omab closed this as completed Apr 13, 2015
@chadmiller
Copy link

Still a problem. Please re-open.

In debug page shown because of exception, a few frames from the end, showing local variables:

social/backends/oauth.py in request_access_token

kwargs    {
   'auth': None,
   'data': { 'client_id': 'zhFG9g',
             'client_secret': 'ssJb3WWrttdz6I',
             'code': 'nBOjFdLuqNM4k',
             'grant_type': 'authorization_code',
             'redirect_uri': 'http://boogs.example.com/redirect/reddit'},
   'headers': {'Authorization': 'Basic '
                              "b'emhGdHp6YmtyeDVNBZmFqdFdydHRkejZJ'",
             'User-Agent': 'python-social-auth-0.2.12'},
   'method': 'POST'}

@chadmiller
Copy link

This seems more likely to be right. Note ".decode()"

 43     def auth_headers(self):
 44         return {
 45             'Authorization': 'Basic {0}'.format(base64.urlsafe_b64encode(
 46                 ('{0}:{1}'.format(*self.get_key_and_secret()).encode())
 47             ).decode())
 48         }

chadmiller pushed a commit to chadmiller/python-social-auth that referenced this issue Nov 10, 2015
decode b64 result back to unicode before str interp
88b3608 
In omab#440, we learn the reddit authorization string that composes key and
secret into a base-64 string leaves it as a bytestring, and then tries
in python3 tries to insert it into a unicode literal.  That adds its
repr format "b'foo'" in the auth, which is wrong.

Instead encode the base64 string back to unicode. The b64 format is
guaranteed to be 7-bit safe, so even lame default encodings should
handle it fine.
@chadmiller chadmiller mentioned this issue Nov 10, 2015
Closed
S01780 added a commit to S01780/python-social-auth that referenced this issue Mar 28, 2016
@S01780
Issue 440
f5db126 
omab#440
@jackfischer
Copy link

Please re-open, also looks like there may be other pull requests, #772 and #782?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@omab @chadmiller @jackfischer @mbmccoy