I'm having issues grasping the concept of redirection during authentication as presented in the DrEdit sample app. Here the redirect_url is set by stripping off all parameters from the request url:
def CreateOAuthFlow(self):
"""Create OAuth2.0 flow controller
This controller can be used to perform all parts of the OAuth 2.0 dance
including exchanging an Authorization code.
Args:
request: HTTP request to create OAuth2.0 flow for
Returns:
OAuth2.0 Flow instance suitable for performing OAuth2.0.
"""
flow = flow_from_clientsecrets('client_secrets.json', scope='')
# Dynamically set the redirect_uri based on the request URL. This is extremely
# convenient for debugging to an alternative host without manually setting the
# redirect URI.
flow.redirect_uri = self.request.url.split('?', 1)[0].rsplit('/', 1)[0]
return flow
When the application is called from the Google Drive UI (a get request to the application's root url with get parameters code and state) the application checks that it is authorized to make requests to Google Drive. In the event that the access has been revoked, it tries to re authorize itself using the following code, I believe:
creds = self.GetCodeCredentials()
if not creds:
return self.RedirectAuth()
where RedirectAuth() is defined as:
def RedirectAuth(self):
"""Redirect a handler to an authorization page.
Used when a handler fails to fetch credentials suitable for making Drive API
requests. The request is redirected to an OAuth 2.0 authorization approval
page and on approval, are returned to application.
Args:
handler: webapp.RequestHandler to redirect.
"""
flow = self.CreateOAuthFlow()
# Manually add the required scopes. Since this redirect does not originate
# from the Google Drive UI, which authomatically sets the scopes that are
# listed in the API Console.
flow.scope = ALL_SCOPES
# Create the redirect URI by performing step 1 of the OAuth 2.0 web server
# flow.
uri = flow.step1_get_authorize_url(flow.redirect_uri)
# Perform the redirect.
self.redirect(uri)
My problem is that when I revoke access of the application from my Google Dashboard and try to open it via Google Drive UI it redirects me to the authorization page and then redirects back to the application after I authorize it but it manages to retain state (the get parameters that were passed from Drive UI). I think this is inconsistent with what the code describes and I was wondering if there is any explanation for this behaviour. A hosted version of the DrEdit app can be found here: http://idning-gdrive-test.appspot.com/
In the case of starting the app from the Drive UI, that code path is never touched. The redirect to the authorization endpoint is initiated directly from Drive. In other words, the path is:
Drive -> auth -> DrEdit
By the time it gets to the app the user has already made their decision. The state is passed through in the state query parameter.
To see the code path you're referring to in action, revoke access again. But instead of starting from Drive, just try loading the app directly. You might need to delete cookies for the app too. Anyway, in that case when the app loads it'll detect that the user isn't authorized and redirect to the auth endpoint:
DrEdit -> auth -> DrEdit
Hope that helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With