.gist width:auto !important;<br /> .gist-file<br /> .gist-data max-height: 500px;max-width: auto;<br />This is part 7 of a tutorial series by Ben Finkel that addresses the challenges, solutions and implementation of sound authentication. You will feel confident in your ability implement an authentication system, even if you have little to no background.
We had just sent the user directly to the Grant Authorization page of our chosen provider Google when we last left. We received a Kill response after allowing or denial of that request:
It’s a self-descriptive Kill. If you were paying attention to Post #4, when we set up our OAuth ClientID for Google, you may have seen a small textbox asking for “Authorized redirect URIs.” This is a secondary security feature that Google has built into its OAuth process. You must tell Google that it can reroute to our URL. This issue is easy to fix:
Browse to https://console.cloud.google.com
Click the flyout menu at the upper-left, and select “API Manager.”
Select “Credentials”, from the left-hand navigation panel.
Click on the OAuth Client ID we created earlier.
Enter the callback URL that you want to use in your consumer application, and then click Save.
Once your ID has been updated with an authorized callback URI you can launch your application again to start the OAuth process. After logging in, you will be presented with an OAuth consent screen.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start training Notice that it asks you to “View your calendars.” This is due to the GoogleOAuth.py file that we selected. However, we don’t want to see calendars. We need to verify our identity so let’s get that fixed.
Another challenge comes with OAuth to verify identity. What scope will Google’s vast array OAuth scope options provide us with an email address, and what is the best way to get it?
You can only find out by looking through the documentation in the OAuth Playground. There are many options available, but most of them offer additional access that we don’t need.
I’ll save you some time: Email is a scope that provides us with only a user email. We will need to research and determine the scope of a second provider like Yahoo before we can implement it. This problem is solved by OpenID Connect, as we’ll see later.
Once we have updated our scope, we can republish this app to Google Cloud Platform and start the process again. On the authorization page, notice that we are asking for new permissions.
Token Exchange
Clicking either option will redirect you to the application callback URL. We need to decide how we will handle the callback. This is how the OAuthCallback class in Main.py looks now.
We then pass the details to our OAuth layer (oauth.py), and then decide how we proceed based upon whether or not we received a Kill. We’ll be able test this first, as a user’s denial will result in a Kill. To ensure that the OAuth library can verify that no CSRF shenanigans were committed during redirections, we also send the state token from memory.
OAuthCallback in oauth.py handles all the details of redirection from provider.
First, we look for mismatches in state tokens and bail out if one is discovered. We then check to see if the querystring contained the ‘Kill” value. If it was, we bail out.
If everything is fine, we can start our token exchange. The problem is that we don’t know which provider we are working with. The consumer app initially told us this, but now that we have left our app and redire, we don’t know what provider it is.