3

I'm using DropboxOAuth2Flow method described for the dropbox API v1.6 in my Django v1.5.3 application and I'm having a 400 error when redirected to the dropbox oauth2 authorization page.

When I go to to my dropbox_auth_start URL I get redirected to:

https://www.dropbox.com/1/oauth2/authorize?state=tWd4Eh4nzk5NlcuHXe7ffA%3D%3D&redirect_uri=http%3A%2F%2Fmydomain.com%2Fdropbox_auth_finish&response_type=code&client_id=blahblahblah

And then the 400 error occurs.

The "dropbox-auth-csrf-token" is written in the session file by the way.

My django code:

views.py

def get_dropbox_auth_flow(web_app_session):
    redirect_uri = "http://www.mydomain.com"
    return DropboxOAuth2Flow('blahblahblah', 'blehblehbleh', redirect_uri, web_app_session, "dropbox-auth-csrf-token")

# URL handler for /dropbox-auth-start
def dropbox_auth_start(request):
    authorize_url = get_dropbox_auth_flow(request.session).start()
    return HttpResponseRedirect(authorize_url)

# URL handler for /dropbox-auth-finish
def dropbox_auth_finish(request):
    try:
        access_token, user_id, url_state = get_dropbox_auth_flow(request.session).finish(request.GET)
    except DropboxOAuth2Flow.BadRequestException, e:
        http_status(400)
    except DropboxOAuth2Flow.BadStateException, e:
        # Start the auth flow again.
        return HttpResponseRedirect("http://www.mydomain.com/dropbox_auth_start")
    except DropboxOAuth2Flow.CsrfException, e:
        return HttpResponseForbidden()
    except DropboxOAuth2Flow.NotApprovedException, e:
        raise e
    except DropboxOAuth2Flow.ProviderException, e:
        raise e

urls.py

from django.conf.urls import patterns, url, include
from django.contrib import admin
admin.autodiscover()


urlpatterns = patterns('',
    url(r'^dropbox_auth_start/?$',views.dropbox_auth_start),
    url(r'^dropbox_auth_finish/?$',views.dropbox_auth_finish),
)
Improve this question
3
  • 4
    Looks like you might be using HTTP? OAuth 2.0 requires an HTTPS redirect URI. Commented Oct 6, 2013 at 21:43
  • I have just created a ssl certificate for my site, added the https in the views.py, but I'm getting the same result :( Commented Oct 6, 2013 at 21:55
  • 2
    Are you sure you set the auth callback correctly in the app console? Commented Oct 7, 2013 at 15:52

2 Answers 2

Reset to default
3

Just like @smarx said, I just switched from HTTP and HTTPS, and everything worked just fine.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I've recently had a problem with this and my site link was always using the https link. I'm not sure if my solution is fully valid or secure, but for the moment it stops a bug that's causing a lot of bad signup problems for my service.

Because in some cases the Django Session layer does not seem to work when users are redirected to dropbox and back it seems that the CSRF token is passed back to your app as the "state" parameter in the callback response. My solution is to do a check in your view handler for the authentication that checks if the csrf session key exists and if it does not to get it from the parameter "state" and add it to the session before calling the dropbox request authentication flow.

    try:
        if request.session["dropbox-auth-csrf-token"] is None or request.session["dropbox-auth-csrf-token"] == "":
            raise Exception("Problem with csrf")
    except Exception, e:
        #Get it from the parameter and add it to the session.
        csrf = request.GET.get("state")
        request.session["dropbox-auth-csrf-token"] = csrf

    access_token, user_id, url_state = \
            get_dropbox_auth_flow(request.session).finish(request.GET)

I'm not sure if it's an overall fix that can be added to the Django library for dropbox, to check the request parameter for the state variable if the session is for some reason not working. This may in fact be a security problem, for the moment it solves my signup issues.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.