Social Login with hybridauth Error - hybridauth

I always use the hybridauth library for social login via php, but when deploying to a new system, it always returns me this error:
Oops, we ran into an issue! The authorization state [state=HA-87J6MLDU2T0F514HVCBSPWGXIZOEY3NRKQA9] of this page is either invalid or has already been consumed.
I already tested in different browsers and with social networks Google and Facebook, the script redirects to the social network and after logging in the error returned in the uri url is this up

I had the same problem. After deleting all the Cookies everything works again.
! The localhost has it's own Cookies in the browser, if you use a redirect.
Additionally check if the callback points to the correct URL.

Related

No redirect to callback URL when authenticating to Instagram

I am having troubles with my server-side login flow to Instagram. I am using:
passport.js (passport-instagram) in my Node.js server, at the domain example.com
A simple WebView in my android client.
The issue is that sometimes after typing the credentials the client is not redirected to the callback url.
These are the URLs as seen from the client when everything is working:
https://example.com/auth/instagram : user visits my server and is redirected to instagram
https://api.instagram.com/oauth/authorize/?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%2Fredirect%2Finstagram&client_id=XXXXX
https://example.com/auth/redirect/instagram?code=YYYYY : we reach the callback url
These are the URLs as seen from the client when the flow is not working:
https://example.com/auth/instagram : user visits my server and is redirected to instagram
https://api.instagram.com/oauth/authorize/?response_type=code&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%2Fredirect%2Finstagram&client_id=XXXXX : same as before
https://www.instagram.com/oauth/authorize/?response_type=code&redirect_uri=https://example.com/auth/redirect/instagram&client_id=XXXXX
https://www.instagram.com/accounts/login/?force_classic_login=&next=/oauth/authorize/%3Fresponse_type%3Dcode%26redirect_uri%3Dhttps%3A//example.com/auth/redirect/instagram%26client_id%3DXXXXX : here I type my credentials
https://www.instagram.com/
As you can see, at the end of the login, instead of being redirected to my server, I end up in https://www.instagram.com/ (successfully logged in, by the way).
Why is this happening?
I have no idea myself. Everything seems properly encoded. Might be some Android WebView setting that has to be tweaked (but the same WebView works great with authenticating with other auth providers), might be some passport.js configuration error (but I am using it successfully for all other providers), ...
This appears to be resolved within our application now. Is anyone else still experiencing issues?
having the same issue on my end and have replicated it on other live apps that use Instagram connect.
I've filed a bug report with Instagram but their developer support is quite minimal and I'm not sure if I'll hear back.
That said, I have to assume this is impacting a number of apps and not just ours so hopefully they are working on a fix.

Redirect Loop for Google Account login with SSL for Custom Domain on Google App Engine

I have setup SSL (VIP) for a custom domain on my Google App Engine app (https://www.gqueues.com).
Everything works fine for most of my users. There are no problems at all for users who login with their Google Apps accounts (which uses OpenId). Most users who login with their Google Accounts don't have any problems either.
HOWEVER, a handful of Google Account users get a redirect loop error
(ERR_TOO_MANY_REDIRECTS) like the image below when they attempt to login.
This is the code I'm using to create the login url. It's worked fine for the last 3 years, and the only thing that has changed is that it now goes to https instead of http:
loginURL = users.create_login_url("https://www.gqueues.com/main")
The main page has login required:
#login_required
def get(self):
I am unable to reproduce the redirect loop with any of my test accounts or machines. However, one of my users reported that it seemed to be looping between these two addresses:
https://appengine.google.com/_ah/loginform?state=xxxxxxxxxxx
https://www.gqueues.com/_ah/conflogin?state=xxxxxxxxxxxxxx
On some other SO posts about redirect loops people suggest that some of these auth pages are getting cached, but I've checked and all of them use a 302 redirect which doesn't get cached.
Also, I've had the users with the issue clear their browser cache and cookies and make sure they are NOT blocking third-party cookies, but none of this helps. The problem occurs on various browsers and operating systems, so I don't think it pertains to a particular setup.
The only thing that works is to have the users with the problem access my app on the appspot address:
https://gqueues-hrd.appspot.com
This of course is not really a solution at all. The reason I'm spending thousands of dollars for the SSL certificate and VIP on GAE is so that everything the user sees is on my custom domain (and so that I'm using my own certificate and not some shared one from Google).
Does anyone (particularly from the App Engine team) have any idea what's going on? It seems like the issue is somewhere in the Google Account login code implemented in App Engine or perhaps with the new SSL for custom domains code.
Thanks much,
Cameron
We think we've identified the problem on the App Engine side and we're working on a fix. Thanks!

Oauth Twitter and Facebook Apps within iframes

I am writing a browser app to update status' / tweet to Facebook and Twitter automatically on users behalf.
My issue is I need this app to work within an iframe as the app is written in PHP but needs to work within an ASP site.
Is this going to be possible? I have tested this and it seems to update the status when already authenticated but I am having issues authenticating from within the iframe.
Many thanks in advance for any help.
Twitter won't allow you to embed its OAuth authentication parts. However, actual requests or anything else isn't a problem.
I'd assume that this is the same for Facebook, especially when you're using PHP to make the requests.
To answer your (second) question: you can probably just get all query data in ASP and pass it to the PHP frame. I've never done ASP but in PHP that would be something as simple as <iframe src='frame.php?<?php echo $_SERVER['QUERY_STRING']; ?>'>

authentication redirect with offline webapp (gae python, html5)

To GAE+html5 gurus out there :)
When user logs on to a GAE hosted application, his credentials are stored locally in a cookie (correct?).
After this cookie expires (e.g. if users hits logout on another browser tab), no login_required protected methods will work.
Regular webapp will require re-authentication next time the user navigates to a login_protected url by automatically redirecting to a login screen.
What would be the right way for a cached webapp to be handling this?
My test is a simple login_protected page accessed by Chrome and iOS browser. It's cached and accessible offline as expected. Then, (while online) and after the authentication expires, the server log shows a 302 response which is followed by 200 response of the authentication dialog page, but of course no authentication happens.
Thanks!
If you are using google authentication to provide access to your page . Which means even if you are logged in one of the other google services. Your cookie still exists in the browser. login_required will assume that you are logged on based on the cookie. What you are seeing is a redirection to google's page that's 302. If you want you can manage sessions on your own and check for authentication based on your data in data Store.There are lot of solutions availble for both Python and Java .

Is it possible for an Android application to use Open-ID service?

I have a C/S solution, which take Android as its client and PHP as its server.
I have my own account system.
I'm wondering whether I could provide my user to login my system with Google Account?
I saw there are web-solution for this, like this stackoverflow.com could use Google Account to directly login.
Is there a solution for C/S system?
Not without a web browser.
If the user isn't logged in to google (or any other provider), he has to authenticate with the provider first. This is done via a web browser, and you shouldn't even try doing it in any other way (for security reasons, the user should be sure that he is connected to the provider, for example by seeing the url in his browser).
However, even if the user is logged in, the provider needs to know that -- usually using a cookie. And cookies are stored within a web browser. So in theory, you could parse the browser's cookie file, and then try immediate authentication, but that won't work until you login and authorize the relying party via a web browser first.

Resources