sample using lock v10.5 when up-to-date version is 10.10. (AUTH-3714)

The ´state´ parameter is missing on the callback url.

Reproduce this issue by following this steps:

-Select the login option.
-Type the credentials of the account (or if you login before, select your account)
-Click login.

In each of the login cases (Using a previously logged in accout or using a new account) the ´state´ parameter is missing

In home.html and dashboard.html the Auth0.js version is 8.6.

The newest version is 8.9.

AUTH-3370

Thank you for posting this project.

It looks like http://localhost:3000/login and http://localhost:3000/logout are no longer supported on Auth0.

Thru the Learn More link next to the setup login-uri on the Application page.

https://auth0.com/docs/universal-login/default-login-url

The login_url should point to a route in the application that ends up redirecting to Auth0's /authorize endpoint, e.g. https://mycompany.org/login. Note that it requires https and it cannot point to localhost.

I ended up changing my hosts file, adding https and then it would work.

Auth0 Callback URL = http://localhost:3000/callback

Authorization redirect URL: https://dev-d67-1kl7.auth0.com/authorize?response_type=code&client_id=Aagx9t5baBdrZ3rIin4fMqfMw9Kq4V3E&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&scope=openid+profile&state=UQ6QAgMDQErF8mDE3eVwdY0T6FAwDQ&audience=https%3A%2F%2Fdev-d67-1kl7.auth0.com%2Fuserinfo

Access token post URL:
https://dev-d67-1kl7.auth0.com/oauth/token?grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&code=Nu_01CVROeZk9gfj&state=UQ6QAgMDQErF8mDE3eVwdY0T6FAwDQ

Can someone please help on this issue.

Testing the quick start repo and getting the following error, right after I create a new user:
Terminal:
127.0.0.1 - - [16/Sep/2021 14:26:26] "GET /callback?code=8MhzbyBT86ezkFrr&state=gW9kEsq9Hnizp7gAqs4MTyDieWtFAq HTTP/1.1" 500 -
Browser response:
"message": "mismatching_state: CSRF Warning! State not equal in request and response."

Note:
I made sure http://localhost:3000/callback was added to "Allowed Callback URLs" in Auth0 dashboard and http://localhost:3000/logout to "Allowed Logout URLs".

Thank you!

Reference auth0/auth0-python#71

The application sets static directory to root, which is a bad idea
Then uses send_from_directory to execute sending the static files

I've fixed both of these in my fork, please review and consider pulling (I can't seem to get pull request to work)

https://github.com/deidyomega/auth0-python-web-app

From Flask:

'Dynamic web applications also need static files. That’s usually where the CSS and JavaScript files are coming from. Ideally your web server is configured to serve them for you, but during development Flask can do that as well. Just create a folder called static in your package or next to your module and it will be available at /static on the application.'

I was toying around with this example over the weekend and more or less just cloned the demo code. I'm able to load the login page just fine, but when trying to log in, I get this:

 /usr/local/lib/python3.9/site-packages/werkzeug/sansio/response.py:230: UserWarning: The 'session' cookie is too large: the value was 5400 bytes but the header required 26 extra bytes. The final size was 5426 bytes but the limit is 4093 bytes. Browsers may silently ignore cookies larger than this.

The error is pretty self explanatory, and is triggered by server.py#L46.

Adding a simple print() statement to server.py, I'm able to verify that the payload returned by oauth.auth0.authorize_access_token() is fine.

I haven't tried rolling back the versions yet, but I'm using the latest versions of all dependencies:

Flask==2.2.2
Authlib==1.2.0
requests==2.28.2

Update: Rolling back to pinned versions in requirements.txt doesn't make a difference.

.env File:
Inappropriate use of AUTH0_CLIENT_SECRET
Callback URL not filled.

Hello

I had some issue when installing all the project dependencies from the requirements.txt file. It seems that the package dotenv is not properly named.

I had the following error when running the app.

Traceback (most recent call last):
  File "server.py", line 9, in <module>
    from dotenv import load_dotenv
ImportError: No module named dotenv

I was able to fix this issue by doing the following :

pip uninstall dotenv # uninstalling dotenv to avoid conflicts
pip install python-dotenv # install the proper package

I recommend changing the name of the package from dotenv to python-dotenv if you guys are facing this issue as well.

have a nice day 😄

Readme.md in flask-webapp example missing instruction about installing dependencies. User should run pip install -r requirements.txt to install dependencies. (AUTH-3449)

And there is a deprecation warning

/usr/local/lib/python3.8/site-packages/authlib/flask/client/__init__.py:6: AuthlibDeprecationWarning: Deprecate "authlib.flask.client", USE "authlib.integrations.flask_client" instead.
It will be compatible before version 1.0.
Read more <https://git.io/Jeclj#file-rn-md>
  deprecate('Deprecate "authlib.flask.client", USE "authlib.integrations.flask_client" instead.', '1.0', 'Jeclj', 'rn')

for this line:

https://github.com/auth0-samples/auth0-python-web-app/blob/master/01-Login/server.py#L15

from authlib.flask.client import OAuth

should be:

from authlib.integrations.flask_client import OAuth

Hope that helps someone.

This problem is due to the dependency deprecada python-jose.

By default the access token returned by the auth0.authorize_redirect call is A256GCM encoded. However that is very opaque to any new users (like myself). In order for this token to be returned as a valid JWT, the login endpoint can simply provide an audience parameter.

I found this unclear in the docs, and this took me multiple days of debugging to fix. I think the sample docs would benefit from having the code sample below updated for the login endpoint in server.py.

server.py

@app.route("/login")
def login():
    return oauth.auth0.authorize_redirect(
        redirect_uri=url_for("callback", _external=True),
        audience=env.get("AUTH0_AUDIENCE")
    )

Then the .env.example file can be updated to be:

AUTH0_CLIENT_ID={CLIENT_ID}
AUTH0_CLIENT_SECRET={CLIENT_SECRET}
AUTH0_DOMAIN={DOMAIN}
AUTH0_AUDIENCE={AUDIENCE}
APP_SECRET_KEY=ALongRandomlyGeneratedString

Edit:
Here is a post from 2021 what mentions this same behaviour:
https://community.auth0.com/t/auth0-access-token-is-missing-the-jws-payload/71674/3

Two bugs in the seed project:

• readme should specify that users must add the callback url to their client settings
• pre-filled seed project (on Auth0 client page) does find/replace on "{domain}" in the code, but this is already handled by the code token_url = 'https://{domain}/oauth/token'.format(domain=env[constants.AUTH0_DOMAIN]), etc.

The Quickstart sample should request openid profile email scope, not only openid profile,

'scope': 'openid profile email',

because email is in most cases needed and when using the Quickstart as a reference in tutorials, I'd otherwise always need to add a section where the reader would need to adjust the code just for this.

I'm able to successfully login and have my callback URL called, with a valid looking code token. However I'm getting a

{
  "message": "access_denied: Unauthorized"
}

In

auth0.authorize_access_token()

in the callback function.

The logs say "failed exchange" with the following details:

{
  "date": "2021-11-02T03:18:02.729Z",
  "type": "feacft",
  "description": "Unauthorized",
  "connection_id": "",
  "client_id": null,
  "client_name": null,
  "ip": "108.28.73.248",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "details": {
    "code": "******************************************G1M"
  },
  "hostname": "dev--i****pk.us.auth0.com",
  "user_id": "",
  "user_name": "",
  "log_id": "90020211102031805905893429383434853960365843545617072130",
  "_id": "90020211102031805905893429383434853960365843545617072130",
  "isMobile": false
}

The application type is "Native" with Token Endpoint Authentication Method of "None". I didn't change any of the other defaults other than setting the AUTH0_CLIENT_ID, AUTH0_CALLBACK_URL and other variables in the Python code and making the corresponding changes in the app settings..

Please help!

The tutorial seems broken, I keep hitting this error when I run python server.py.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/flask/app.py", line 2525, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/flask/app.py", line 1822, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/flask/app.py", line 1820, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/flask/app.py", line 1796, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "server.py", line 40, in login
    return oauth.auth0.authorize_redirect(
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/authlib/integrations/flask_client/apps.py", line 46, in authorize_redirect
    rv = self.create_authorization_url(redirect_uri, **kwargs)
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/authlib/integrations/base_client/sync_app.py", line 309, in create_authorization_url
    metadata = self.load_server_metadata()
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/authlib/integrations/base_client/sync_app.py", line 294, in load_server_metadata
    resp = session.request('GET', self._server_metadata_url, withhold_token=True)
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/authlib/integrations/requests_client/oauth2_session.py", line 104, in request
    return super(OAuth2Session, self).request(
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/Users/vincentwarmerdam/Development/auth0-python-fastapi-sample/venv/lib/python3.8/site-packages/requests/adapters.py", line 565, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='none', port=443): Max retries exceeded with url: /.well-known/openid-configuration (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x104816490>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known'))

I'm using Python 3.8.9 with the requirements.txt provided in this repo.

(AUTH-3947)
There is no logout functionality defined in the project.

From a noob Pythonista perspective I curious why there is a need for the constants.py file. The key value pairs can be put directly into the env file. In any case, they env file takes precedence over the os.environ.get() values, no? Another minor simplification: Why import environ as env?

Think it'll save people some headaches to indicate here, and in the python Quickstart which version of python the example is in.

I first tried this in a virtualenv with python 3.5, and took me longer than I would have liked until I found this about jose dependency in python 3 :
https://stackoverflow.com/questions/47390278/django-auth0-a-bytes-like-object-is-required-not-str-python-3-5-2

Works fine in python 2.7 though

Flask-webapp example use outdated version of lock library. (AUTH-3450)

auth0-samples
vue
I successfully tested auth0-vue-samples/01-Embedded-Login

python
The python samples I tested failed out of the box:

• auth0-python-api-samples/00-Starter-Seed
• auth0-python-web-app/01-Login

david4096/flask-auth0-example
This sample worked successfully with zero changes required. This sample worked successfully with lock versions 10.0 and 11.7.

I'm interested in using the latest Auth0 python client and embedded login functionality. Can someone please help me resolve the issues with the auth0-samples?

Python versions:

• python 2.7
• python 3.6

Auth0 application settings:

• PipelineAI
• PipelineAI CLI values

OS:

• macOS High Sierra
• Version 10.13.5

Web browsers

:

• Google Chrome

• Version 67.0.3396.99 (Official Build) (64-bit)

• Firefox (2-Step Verification)

• 60.0.2 (64-bit)

• Safari

• Version 11.1.1

Steps to reproduce:

git clone [email protected]:auth0-samples/auth0-python-web-app.git
cd auth0-python-web-app/01-login
mv .env.example .env

# populate PipelineAI CLI values below: 
# AUTH0_CLIENT_ID=I_REPLACED_THIS_WITH_VALUE_FROM_AUTH0_SITE
# AUTH0_DOMAIN=I_REPLACED_THIS_WITH_VALUE_FROM_AUTH0_SITE
# AUTH0_CLIENT_SECRET=I_REPLACED_THIS_WITH_VALUE_FROM_AUTH0_SITE
# AUTH0_CALLBACK_URL=http://localhost:3000/callback
# AUTH0_AUDIENCE=https://pipelineio.auth0.com/userinfo

# Registerd the URL below in PipelineAI CLI settings 
#   Allowed Callback URL : http://localhost:3000/callback
#   Allowed Logout URL   : http://localhost:3000

conda create --name auth0-python-web-app
source activate auth0-python-web-app
pip install -e . --ignore-installed --no-cache --upgrade

Navigating to http://localhost:3000/ successfully displays the Auth0 Example Zero friction identiy infrastructure, built for developers "LOG IN" page.

Selecting the "LOG IN" button then selecting "G" for Google login fails with:
message: "mismatching_state: CSRF Warning! State not equal in request and response.""

console output:

$ python server.py
 * Serving Flask app "server" (lazy loading)
 * Environment: production
   WARNING: Do not use the development server in a production environment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://0.0.0.0:3000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 107-607-125
127.0.0.1 - - [28/Jun/2018 09:30:48] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [28/Jun/2018 09:30:48] "GET /public/app.css HTTP/1.1" 200 -
127.0.0.1 - - [28/Jun/2018 09:30:48] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [28/Jun/2018 09:31:52] "GET /login HTTP/1.1" 302 -
127.0.0.1 - - [28/Jun/2018 09:32:19] "GET /callback?code=w72Bf0bVf06dgWkv&state=d2PGyFK4vg2aQb7MjajZz9mawK47of HTTP/1.1" 500 -
127.0.0.1 - - [28/Jun/2018 09:32:20] "GET /favicon.ico HTTP/1.1" 404 -

Is there a similar sample somewhere using tornado? Thanks.

This example uses Lock version 8.6. The oldest version documented on https://auth0.com/docs/libraries/lock is version 9. It would be helpful for this example to use version 10 (the latest version).

Steps to reproduce problem:

1. Download sample project from Auth0 client (.env is already populated with correct client ID, domain, and secret).
2. Add callback url to settings in Auth0 client.
3. Create virtualenv and run pip install -r requirements.txt.
4. Run python3 server.py and navigate to http://localhost:3000/
5. Press SIGNIN button.

ERROR GET RESPONSE
http://localhost:3000/callback?error=access_denied&error_description=Service%20not%20found%3A%20%7BAPI_AUDIENCE%7D

ERROR
auth0.v3.exceptions.Auth0Error: invalid_request: Missing required parameter: code

TRACEBACK:

Traceback (most recent call last):
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1997, in __call__
    return self.wsgi_app(environ, start_response)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1985, in wsgi_app
    response = self.handle_exception(e)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1540, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1982, in wsgi_app
    response = self.full_dispatch_request()
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1614, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1517, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1612, in full_dispatch_request
    rv = self.dispatch_request()
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/flask/app.py", line 1598, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/developer/Documents/auth0/00-starter-seed/server.py", line 64, in callback_handling
    AUTH0_CLIENT_SECRET, code, AUTH0_CALLBACK_URL)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/auth0/v3/authentication/get_token.py", line 49, in authorization_code
    headers={'Content-Type': 'application/json'}
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/auth0/v3/authentication/base.py", line 11, in post
    return self._process_response(response)
  File "/home/developer/.virtualenvs/auth0-starter-seed/lib/python3.5/site-packages/auth0/v3/authentication/base.py", line 22, in _process_response
    message=text['error_description'])
auth0.v3.exceptions.Auth0Error: invalid_request: Missing required parameter: code

Hello All,

@lepture @aaguiarz @alexisluque . I was trying to execute the example here in git for python web sample. But I'm facing the below error and not sure how to rectify it, since I'm a beginner in python. Could you please help me in resolving it, as I need it much badly.

error -> AttributeError: module 'constants' has no attribute 'AUTH0_CALLBACK_URL'

I'm using jupyter notebook to work on it and I have installed all the required dependencies as well. Please guide me. Thank you much in advance.

Regards,
Naresh E.

The sample project uses "https://cdn.auth0.com/js/auth0/8.6.0/auth0.min.js", but the newest version is 8.8.

AUTH-3370

requirements.txt is missing requests

https://github.com/auth0-samples/auth0-python-web-app/blob/master/01-Login/requirements.txt

The online docs have it listed,
https://auth0.com/docs/quickstart/webapp/python

in current demo, you get,

ModuleNotFoundError: No module named 'requests'

(env) local$ python server.py 
Traceback (most recent call last):
  File "server.py", line 15, in <module>
    from authlib.flask.client import OAuth
  File "/app/auth0/auth0-python-web-app/01-Login/env/lib/python3.7/site-packages/authlib/flask/client/__init__.py", line 3, in <module>
    from .oauth import OAuth, RemoteApp
  File "/app/auth0/auth0-python-web-app/01-Login/env/lib/python3.7/site-packages/authlib/flask/client/oauth.py", line 6, in <module>
    from authlib.client import OAuthClient, OAUTH_CLIENT_PARAMS
  File "/app/auth0/auth0-python-web-app/01-Login/env/lib/python3.7/site-packages/authlib/client/__init__.py", line 3, in <module>
    from .oauth1_session import OAuth1Session, OAuth1Auth
  File "/app/auth0/auth0-python-web-app/01-Login/env/lib/python3.7/site-packages/authlib/client/oauth1_session.py", line 2, in <module>
    from requests import Session
ModuleNotFoundError: No module named 'requests'
(env) local$ cat requirements.txt 
flask
python-dotenv
authlib
six
(env) local$ pip install requests
Collecting requests
  Using cached https://files.pythonhosted.org/packages/51/bd/23c926cd341ea6b7dd0b2a00aba99ae0f828be89d72b2190f27c11d4b7fb/requests-2.22.0-py2.py3-none-any.whl
Collecting idna<2.9,>=2.5 (from requests)
  Using cached https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl
Collecting urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 (from requests)
  Using cached https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl
Collecting chardet<3.1.0,>=3.0.2 (from requests)
  Using cached https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests)
  Using cached https://files.pythonhosted.org/packages/69/1b/b853c7a9d4f6a6d00749e94eb6f3a041e342a885b87340b79c1ef73e3a78/certifi-2019.6.16-py2.py3-none-any.whl
Installing collected packages: idna, urllib3, chardet, certifi, requests
Successfully installed certifi-2019.6.16 chardet-3.0.4 idna-2.8 requests-2.22.0 urllib3-1.25.3
(env) local$ python server.py 
 * Serving Flask app "server" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: on
 * Running on http://0.0.0.0:3000/ (Press CTRL+C to quit)
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 176-266-647

I am trying to use this project and got it to work last night but I tried running it again this morning and I got the following error.

{ "message": "mismatching_state: CSRF Warning! State not equal in request and response." }

I am guessing this has something to do with the session/cookies because I didn't change anything else in the code but I am not sure how to fix it. Any suggestions?