I have a query concerning the OAuth2 process. I’m working with Python and FastAPI, having set up the OAuth2 flow with the redirect handled on the frontend due to backend accessibility issues. The sequence is as follows:
The frontend sends a login request to the backend.
The backend generates a state in the session and redirects to the Identity Provider.
The Identity Provider verifies the data and sends a redirect to the specified URL.
The frontend receives the authorization code and state, and forwards an authorization request to the backend.
The backend validates the state, but encounters an issue as it receives a new session, making it impossible to confirm the received data.
Lastly, there’s access token validation.
The frontend, which uses React JS, simply takes the code and state from the Identity Provider and sends it through. What could be causing this issue? Is it necessary for the frontend to handle requests in a way that maintains the session, or is using request.session not ideal (as many OAuth2 libraries employ this method)? I was running tests locally, so session loss due to cross-domain requests shouldn’t be the issue. The process was functional when the redirect URL was located on the backend.
you might wanna check same-origin policy settings on the browser. even if its local, there could be some hiccups with cookie sharing btween frontend-backend in different domains. Use HTTP only cookies for session or look into using localStorage to pass state securely, depends on ur app’s security needs.
It seems you may be running into issues with how sessions are being managed. I’ve had a similar issue before and found that using tokens, like JWTs, as an alternative to managing sessions can simplify this process. With JWTs, the token contains all the necessary information about the user and is included in each request, avoiding the session state problem altogether. Another possibility is to ensure that the frontend is configured to send credentials with each request, as cross-origin requests often drop cookies, breaking the session management.
that’s an intriguing problem! perhaps check how your session is being managed. could it be due to how the frontend sends requests without cookies? what if you tried a different way to maintain sessions bbetween requests, might it resolve the state validation problem? curious about your solution!
Sounds like a CSRF protection issue. Some ID providers use an anti-forgery state token. Ensure your frontend passes the state correctly, maintain it in a manner that persists even on page reload. Also, look into your cookies’ ‘SameSite’ attribute—it might affect cross-site request handling.