Google Auth - not getting user email
haggaret opened this issue · comments
I'm running Confidant in a docker container on an EC2 instance behind an Application Load Balancer in AWS.
I've configured Google Authentication as per the documentation here: https://lyft.github.io/confidant/basics/configuration/
After sorting through some config difficulties with google auth (on the google side), I appear to be able to get logged in, however, I can't seem to do anything, and the top right corner of the page shows "Logged in as | Log Out" - I expect this is due to the following exception that I'm seeing in the logs:
ERROR:confidant.app:Exception on /v1/user/email [GET]
Traceback (most recent call last):
File "/venv/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
response = self.full_dispatch_request()
File "/venv/lib/python3.6/site-packages/flask/app.py", line 1951, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/venv/lib/python3.6/site-packages/flask/app.py", line 1820, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/venv/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/venv/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/venv/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functionsrule.endpoint
File "/srv/confidant/confidant/authnz/init.py", line 216, in decorated
user_mod.check_authorization()
File "/srv/confidant/confidant/authnz/userauth.py", line 208, in check_authorization
email = self.current_email()
File "/srv/confidant/confidant/authnz/userauth.py", line 123, in current_email
ret = self.current_user()['email'].lower()
AttributeError: 'NoneType' object has no attribute 'lower'
I checked the config in the google developer console, and I do see under the Oauth Consent screen settings that the app in question allows the email, profile and openid scopes, so I would think that it should be able to get my email when I log in.
Not sure what I'm missing here. Has anyone else run into this when using Google Authentication?
Thanks
You need to enable the google+ api or you won't get an email address when logging in.
Hmmm...I followed the instructions, which included enabling the google+ api. I'll go double check that, but I'm not sure that is the problem.
Yeah, so when I look at the Dashboard for APIs & Services in the Google Developer console, I do see that Google+ API is enabled.
Ugh. I wonder if they changed the requirements for accessing the email and profile scopes...
Looks like it: https://developers.google.com/+/api-shutdown
I think for the short-term it's possible to continue using this sign-in flow, but I think maybe we also need to include the openid scope in the list of scopes: https://github.com/lyft/confidant/blob/master/confidant/authnz/userauth.py#L353-L356
Can you give that a try for me?
Seems we'll need to migrate to the new google sign-in flow. I'll see if our library supports it, or if we'll need to switch libraries.
If I'm reading things correctly, under the OAuth consent screen settings, for my 'app' (in this case, confidant) I see email, profile and openid listed under the Scopes for Google APIs heading, which makes me think it should have access to that scope already.
Yep, but we're not requesting it in the code
Right! 🙂
I will try building a new docker image locally with that change and try it out.
No joy if I simply add openid into the list for scope:
'scope': [
'profile',
'email',
'openid'
]
Looks like authomatic supports this properly in the 1.0.0 release. I'll have to see how much work it'll be to upgrade: authomatic/authomatic#197
I'll test this when I get a chance, but I don't have a google oauth setup right now and I won't get a chance till next week to try it out.
Yep, I can definitely try it.
Works like a champ Ryan! Thanks!
Thanks for the report! A fix is merged into master, and it'll be included in the next release, which we're planning on releasing today.