A couple of days ago my perfectly functional twitter integration broke down. Trying to authorize a twitter account is resulting in an error in oauth.py.handle_oauth1_response. I printed the response from twitter which is something like this:

{'<?xml version': u'"1.0" encoding="UTF-8"?>
<hash> 
<error>The access_token method must be called with a request_token</error>
<request>/oauth/access_token?oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=', 
'oauth_consumer_key': u'mykey', 'oauth_nonce': u'54855713', 
'oauth_signature': u'l4p6yhF8bx+dtUxxgY8IM4gnXgQ=
</request>
</hash>', 
'oauth_signature_method': u'HMAC-SHA1', 
'oauth_timestamp': u'1339648593', 
'oauth_token': u'61690026-MvKpp8RnOF9phm7AUD4ZrRpoOivpIWmFxxxfaVJXO', 
'oauth_verifier': u'S6xNfL1KtUQfppvsC6Cyyqus58ba87R5tHOxNf8NA', 
'oauth_version': u'1.0'} 

Any help in debugging this?

Hello,

I am having a tough time figuring out how to verify the access token of a client.

Should I use the same endpoint oauth/token with a GET method in order to verify it or this endpoint is just made for token generation and I should create a endpoint of my own with the request_validator.

Thank you

from urlparse import urljoin

ImportError: No module named 'urlparse'

Line 13, flask_oauth.py

Should add try catch for python3 and python 2 compatibility

Is there any way to get facebook picture, email, gender and so on with flask-oauth?

To launch the twitter example and use successfully, the db must be initialized.

https://github.com/mitsuhiko/flask-oauth/blob/master/example/tweet.py#L180

diff --git a/example/tweet.py b/example/tweet.py
index 536836a..2462345 100644
--- a/example/tweet.py
+++ b/example/tweet.py
@@ -178,4 +178,5 @@ def oauth_authorized(resp):


 if __name__ == '__main__':
+    init_db()
     app.run()

The Twitter OAuth examples provided by oauth2 on the GitHub page don't actually work:
https://github.com/simplegeo/python-oauth2#using-the-client

Here is an article explaining the state of OAuth in Python that advocates the use of oauthlib:
http://pydanny.com/the-sorry-state-of-python-oauth-providers.html

This library, which uses oauthlib, actually works:
http://requests-oauthlib.readthedocs.org/en/latest/oauth1_workflow.html

Currently Flask-OAuth is completely broken for me, as it doesn't assemble the requests in the way that Twitter recommends, yet both the Flask-OAuth and oauth2 documentation claim to work with Twitter's OAuth request_token requests.

If a user's token has expired, Google responds back with a non-200 response code, which causes an OAuthException to get raised: https://github.com/mitsuhiko/flask-oauth/blob/master/flaskext/oauth.py#L342-343

As far as I can tell, I have no clean way of using this information to return None from my tokengetter function in order to get a fresh token.

Any thoughts?

I have used the exact same code from Facebook example, but 80% of the time I see the error ResponseNotReady(). What could possibly cause this? And sometimes it returns the correct answer. I have tried both test apps and main app.

P.S. : Because Facebook is restricted in my local region(by the region), I use a proxy and put my flask app in the white-list so it will be able to communicate with Facebook.

All of sudden few days ago i started getting this 401 error from Twitter

This seems similar to https://dev.twitter.com/discussions/16443 but I'm calling authorize() with callback and oauth_verifier param is passed.

I've seen https://github.com/crhym3/simpleauth/blob/master/simpleauth/handler.py
where a CSRF token is used for communication with oauth provider. Does flask-oauth offer such security feature already? If not please add support for that.

Hi Guys,

I've recently tried installing Flask-Social to find that the install failed. Tracing back the error and the dependencies it seems that the installation has failed because there is a syntax error: print "unable to find version in %s" % (VERSIONFILE,).

I assume this is due to the fact that I'm using python 3 rather than python 2. Upon further investigation, it seems that the oauth2 lib hasn't been updated in some 3 or so years so I'd like to propose moving to oauthlib as it is actively maintained and supports python3 or possibly forking the origin oauth2 library and updating it to be python3 compatible.

Cheers

Currently, flask-oauth is letting oauth2 do whatever it likes with regards to signature method. That means, it's mostly using HMAC_SHA1. However, some oauth servers will only accept PLAINTEXT as the signature method.

It's not too bad to set the signature method right after creating the remote_app, although it does mean accessing the _client which might not be totally obvious to some folks. It looks like this:

from flaskext.oauth import OAuth
from oauth2 import SignatureMethod_PLAINTEXT

oauth = OAuth()
my_api = oauth.remote_app('my_api',
    ...
)
my_api._client.set_signature_method(SignatureMethod_PLAINTEXT())

What doesn't work at all is using the authorized_handler decorator. When it calls make_client, it doesn't care about signature method. I had to add this around line 300 of oauth.py:

client.set_signature_method(oauth2.SignatureMethod_PLAINTEXT())

So, the issue is how to handle signature method better and allow for greater flexibility. Maybe if we just set it in the init() of OAuthRemoteApp(), we could just use it as a class attribute everywhere else. That assumes that a single remote_app always uses the same signature method, but from what I can see, that's a pretty safe assumption.

On http://packages.python.org/Flask-OAuth/ , the documentation says:

=== start ===
Defining Remote Applications
To use connect to a remote application you need to create a OAuth object and register a remote application on it. This can be done with the remote_app() method:

oauth = OAuth()
the_remote_app = oauth.register_app('the remote app',
...
)
=== end ===

What is confusing is that the paragraph refers to remote_app method, whereas the code is showing register_app method.

Having the convenience of a tokengetter decorator is great. However, doing this from within a celery worker looks awfully odd to me. Any chance of also having a way to simply pass the token parameters which would then override the need for the function. Maybe even with the actual request to be able to override it?

I need to be able to work through quite a few twitter users and it currently feels a bit wrong doing things this way.

You may of course disagree, in which case just close this bug. Thanks.

I'm not sure if google's implementation is non-standard, but I've found that to get the access_token I need to use a "POST" instead of a command. However simply setting access_token_method to "POST" is not sufficient because "handle_oauth2_response" puts the remote_args into the url instead of the body.

This may require a separate ticket, but google also expects an additional argument "grant_type" which needs to be set to "authorization_code".

I had to the line linked to bellow oauth.py to get it working with google. Without it I receive an error indicating that I am missing a required token.

FreakTheMighty@b4183b7

Why can't I get the link of profile picture when I write

pic = facebook.get("/me/picture?fields=url")

If I try sending this GET request from facebook Graph API, with same access-token, I get the profile link.
![image]. However, It gives me a debug message of auto version shift to 2.9.

(https://user-images.githubusercontent.com/16293392/27484284-9ab2deae-5820-11e7-8c1a-82456a87233d.png)

Hey.. looks like the lib on pypi still on the older version. I've tried to install it on my machine with python3 and got ImportError exception from this line from urlparse import urljoin.

Using this package on heroku is murder. Can you please push a new pypi package?

I'm working with an API (FreshBooks) where the access_token_url requires a POST instead of the GET. Is this a change in the 1.0a version of OAuth or is this a bug? Should it be configurable?

There is an issue in: https://github.com/mitsuhiko/flask-oauth/blob/master/.gitmodules

The git:// (i.e. git+git://) protocol is unsupported and trying to install this package as git+ssh:// or similar methods does not work because of the submodule issue. The submodule URL should be ssh:// or https://.

The full trace is this:

$ pip3 install -e git+https://github.com/mitsuhiko/flask-oauth.git@d5c3f6a229df1c3566b9bc3233311c109b4dcff9#egg=flask-oauth
Obtaining flask-oauth from git+https://github.com/mitsuhiko/flask-oauth.git@d5c3f6a229df1c3566b9bc3233311c109b4dcff9#egg=flask-oauth
  Cloning https://github.com/mitsuhiko/flask-oauth.git (to revision d5c3f6a229df1c3566b9bc3233311c109b4dcff9) to /home/myuser/.virtualenvs/Datagran/src/flask-oauth
  Running command git clone -q https://github.com/mitsuhiko/flask-oauth.git /home/myuser/.virtualenvs/Datagran/src/flask-oauth
  Running command git rev-parse -q --verify 'sha^d5c3f6a229df1c3566b9bc3233311c109b4dcff9'
  Running command git fetch -q https://github.com/mitsuhiko/flask-oauth.git d5c3f6a229df1c3566b9bc3233311c109b4dcff9
  Running command git checkout -q d5c3f6a229df1c3566b9bc3233311c109b4dcff9
  Running command git submodule update --init --recursive -q
  fatal: remote error:
    The unauthenticated git protocol on port 9418 is no longer supported.
  Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
  fatal: clone of 'git://github.com/mitsuhiko/flask-sphinx-themes.git' into submodule path '/home/myuser/.virtualenvs/Datagran/src/flask-oauth/docs/_themes' failed
  Failed to clone 'docs/_themes'. Retry scheduled
  fatal: remote error:
    The unauthenticated git protocol on port 9418 is no longer supported.
  Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
  fatal: clone of 'git://github.com/mitsuhiko/flask-sphinx-themes.git' into submodule path '/home/myuser/.virtualenvs/Datagran/src/flask-oauth/docs/_themes' failed
  Failed to clone 'docs/_themes' a second time, aborting
WARNING: Discarding git+https://github.com/mitsuhiko/flask-oauth.git@d5c3f6a229df1c3566b9bc3233311c109b4dcff9#egg=flask-oauth. Command errored out with exit status 1: git submodule update --init --recursive -q Check the logs for full command output.
ERROR: Could not find a version that satisfies the requirement flask-oauth (unavailable) (from versions: 0.9, 0.10, 0.11, 0.12)
ERROR: No matching distribution found for flask-oauth (unavailable)
WARNING: You are using pip version 21.1.2; however, version 22.0.4 is available.
You should consider upgrading via the '/home/myuser/.virtualenvs/Datagran/bin/python -m pip install --upgrade pip' command.

Team we are trying to integrate our supeset application with OKTA, and we have tried to use this plugin for integration. Please confirm if this supports okta integration ?

When calling the authorize function the call back perimeters are not properly set.

As an example I am using the DropBox API's Authorize REST interface with the following code:

from flask import Flask, render_template, request, redirect, session, url_for, flash
from flask_oauth import OAuth

app = Flask(__name__)

app.config['PROPAGATE_EXCEPTIONS'] = True
app.secret_key="not so secret"

oauth = OAuth()
dropbox = oauth.remote_app('dropbox',
    base_url='https://api.dropbox.com/1/',
    request_token_url='https://api.dropbox.com/1/oauth/request_token',
    access_token_url='https://api.dropbox.com/1/oauth/access_token',
    authorize_url='https://www.dropbox.com/1/oauth/authorize/',
    consumer_key='KEY',
    consumer_secret='SECRET'
)

@app.route("/test")
def index():
    return "SUCCESS!"

@app.route("/login")
def login():
    return dropbox.authorize(callback=url_for('authenticated',
        next=request.args.get('next') or request.referrer or None,  _external=True))

@dropbox.tokengetter
def get_dropbox_token(token=None):
    return session.get('dropbox_token')

@app.route('/authenticated')
@dropbox.authorized_handler
def authenticated(resp):
    next_url = request.args.get('next') or url_for('index')
    if resp is None:
        flash(u'You denied the request to sign in.')
        return redirect(next_url)

    session['dropbox_token'] = (
        resp['oauth_token'],
        resp['oauth_token_secret']
    )
    #session['twitter_user'] = resp['screen_name']

    flash('You were signed in as %s' % resp['uid'])
    return redirect(next_url)

And when I make a request to /login I get authenticated with DropBox, however I never get returned to my application.

curl http://localhost:5000/login --head
HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 349
Location: https://www.dropbox.com/1/oauth/authorize/?oauth_token=TOKEN
Set-Cookie: session=SESSION; HttpOnly; Path=/
Server: Werkzeug/0.9.4 Python/2.7.5
Date: DATE

I believe this is because the Location or redirect is does not contain the https://www.dropbox.com/1/oauth/authorize/?oauth_token=TOKEN&oauth_callback=http://localhost:5000/authenticated

The authorize function seems to not set this properly.

In a situation where a user has oauth tokens in their session variables, but makes a oauth.authorize request, the oauth request appears to get signed by the existing keys.

I noticed this explicitly for twitter where additional oauth authorize requests would fail unless I did

del session['twitter_oauth_tokens']

Upon writing this I acknowledge that it sounds weird to send in an oauth authorize request if the user already has this info in their session, but in my case the flask oauth may expire and the user is logging back in through twitter.

I am curious if there is a reason you don't automatically ignore oauth tokens on oauth.authorize requests?

how can i get the nodes like email , names etc extracted from its response in google login response

Automatically test OAuth.

Throws flaskext.oauth.OAuthException with following twitter responce:

{'status': '401', 'content-length': '565', 'x-transaction': '211c21269388bd25', 'set-cookie': 'k=10.35.2.124.1344885309124184; path=/; expires=Mon, 20-Aug-12 19:15:09 GMT; domain=.twitter.com, guest_id=v1%3A134488530913929470; domain=.twitter.com; path=/; expires=Thu, 14-Aug-2014 07:15:09 GMT, _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNQ%252BaSE5AToHaWQiJTFhOGExZTk3ZTVkZjhi%250AYTRiMTlmMzJmODk1NDg1YjhhIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--65ae75aa65a2f5b2787aca378c468ee8dd237619; domain=.twitter.com; path=/; HttpOnly', 'expires': 'Tue, 31 Mar 1981 05:00:00 GMT', 'x-mid': '5e909ac08c5baed8ed51d8f16b1664f6a4b327b1', 'server': 'tfe', 'last-modified': 'Mon, 13 Aug 2012 19:15:09 GMT', '-content-encoding': 'gzip', 'pragma': 'no-cache', 'cache-control': 'no-cache, no-store, must-revalidate, pre-check=0, post-check=0', 'date': 'Mon, 13 Aug 2012 19:15:09 GMT', 'x-frame-options': 'SAMEORIGIN', 'content-type': 'text/html; charset=utf-8', 'www-authenticate': 'OAuth realm="https://api.twitter.com"', 'vary': 'Accept-Encoding'}

The access_token method must be called with a request_token
/oauth/access_token?oauth_body_hash=2jmj7l5rSw0yVb%2FvlWAYkK%2FYBwk%3D&oauth_nonce=43034051&oauth_timestamp=1344885309&oauth_verifier=RkDAfXiGWYYerIVpd1Aer5EorCfKG8ibYT0q69XME&oauth_consumer_key=HTeijARUpbSR7pXaVmGULA&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_token=33175438-XRgolk9jzdkthoXkHjCJmtbtaA4o02TRdEHZaHMLG&oauth_signature=Bf6ekP5Bmg5tC%2BHUVicLKKdLZbQ%3D

Is there any reason 0.13 hasn't been pushed to PyPi? It looks the version was bumped about a year ago.

This happens whenever I try to initiate the app with oauth = OAuth().

Are there any plans of implementing the Oauth v2.0 specification into flask-oauth?

Hey there, when attempting to use this library on python 3.6.5 I encountered a few import errors. This was previously tracked and closed without being fixed in: #85

I'd at least like a "won't fix/don't care" response if possible, it's unclear why the original issue was closed and it has received comments regularly since it was posted.

My hacky mitigation to import this library is:

import urllib.parse as urlparse
import sys
sys.modules["urlparse"] = urlparse
sys.modules["urllib"] = urlparse
from flask_oauth import OAuth

Errors on import:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/flask_oauth.py", line 13, in <module>
    from urlparse import urljoin
ModuleNotFoundError: No module named 'urlparse'

If I hack in urlparse, I then hit:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/flask_oauth.py", line 17, in <module>
    import oauth2
  File "/usr/local/lib/python3.6/site-packages/oauth2/__init__.py", line 33, in <module>
    from ._compat import PY3
  File "/usr/local/lib/python3.6/site-packages/oauth2/_compat.py", line 41, in <module>
    from urllib import quote
ImportError: cannot import name 'quote'

def oauth_start(self):                              
    twitter = self.oauth_app()                      
    return twitter.authorize(callback=url_for('twip.oauth_callback'))

In my code, when return from twitter, the callback URL uses http scheme instead of https

Is there anyway to specify this scheme?

P.S. strange that this only happens when I run my code at heroku. It's fine if I run this code as Apache CGI script

could you maybe release 0.13 on pypi? https://pypi.python.org/pypi/Flask-OAuth still lists 0.12.

related: gae-init/gae-init-auth#9

Supporting Facebook Style OAuth.

The example isn't working when you go to post a tweet. The first issue is init_db() is never called, secondly the Authorization header isn't added. That later is apparently an oauth2 issue...

I'm using flask_oauth in an app deployed on heroku.

And 'certificate verify failed' occurs when requesting the access token from https://api.weibo.com. But it's ok to access the website in browser, no certificate warning.

So, how can I just ignore the ssl certificate verification?

Stack trace:

File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/flask_oauth.py", line 429, in decorated
  data = self.handle_oauth2_response()
File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/flask_oauth.py", line 400, in handle_oauth2_response
  resp, content = self._client.request(url, self.access_token_method)
File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/oauth2/__init__.py", line 682, in request
  connection_type=connection_type)
File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/httplib2/__init__.py", line 1597, in request
  (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/httplib2/__init__.py", line 1345, in _request
  (response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/httplib2/__init__.py", line 1281, in _conn_request
  conn.connect()
File "/Volumes/ws/prj/mark1x/venv/lib/python2.7/site-packages/httplib2/__init__.py", line 1036, in connect
  raise SSLHandshakeError(e)
SSLHandshakeError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The authorized_handler method raises OAuthException if the OAuth process fails. However, since this method is a decorator, there's no way to write an exception handler that can display a friendly error message to the user. Instead, the user sees a 500 internal server error.

Relevant code: https://github.com/mitsuhiko/flask-oauth/blob/master/flaskext/oauth.py#L305

Traceback (most recent call last):
File "/env/lib/python2.7/site-packages/flask/app.py", line 889, in call
return self.wsgi_app(environ, start_response)
File "/env/lib/python2.7/site-packages/flask/app.py", line 879, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/env/lib/python2.7/site-packages/flask/app.py", line 876, in wsgi_app
rv = self.dispatch_request()
File "/env/lib/python2.7/site-packages/flask/app.py", line 695, in dispatch_request
return self.view_functionsrule.endpoint
File "/blog/views.py", line 94, in index
resp = twitter.get('statuses/home_timeline.json')
File "/env/lib/python2.7/site-packages/flaskext/oauth.py", line 173, in get
return self.request(_args, *_kwargs)
File "/env/lib/python2.7/site-packages/flaskext/oauth.py", line 239, in request
body=data, headers=headers))
File "/env/lib/python2.7/site-packages/oauth2/init.py", line 662, in request
req.sign_request(self.method, self.consumer, self.token)
File "~/env/lib/python2.7/site-packages/oauth2/init.py", line 493, in sign_request
self['oauth_body_hash'] = base64.b64encode(sha(self.body).digest())
TypeError: must be string or buffer, not None

Evidently, self.body can't be None but is always being set to None for GET requests.

Here is the problem line in oauth2/init.py...

if not self.is_form_encoded:
488 # according to
489 # http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html
490 # section 4.1.1 "OAuth Consumers MUST NOT include an
491 # oauth_body_hash parameter on requests with form-encoded
492 # request bodies."
493 self['oauth_body_hash'] = base64.b64encode(sha(self.body).digest())

Here's a patch: https://gist.github.com/1020196