django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Your credentials aren't allowed for Google OAuth Authentication

Open franzramadhan opened this issue 3 years ago • 5 comments

Slack us first! I have raised this issue in the slack - https://owasp.slack.com/archives/C2P5BA8MN/p1661154750234779

Be informative I am trying to setup OAuth2 authentication using Google by following this wiki But I got AuthForbidden at /complete/google-oauth2/ error after clicking the Login with Google button. Following environment variables have been set inside the uwsgi container.

DD_SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=G<redacted>
DD_SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=72<redacted>-<redacted>.apps.googleusercontent.com
DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED=true
Screen Shot 2022-08-22 at 20 16 41

Bug description Traceback

Environment:


Request Method: GET
Request URL: https://<defectdojo-public-url>/complete/google-oauth2/?state=zcdf7miQNPvWCuIR6HVSz1BzYLSNo7Xe&code=4%2F0AdQt8qh4uuehZ82fvSdcfs2dWRS-GuZr5TsN-TFVOh0bdUhChlFazlkSDeNsKWaD_2BhHQ&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&hd=<mydomain.com>&prompt=none

Django Version: 3.2.14
Python Version: 3.8.13
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'polymorphic',
 'django.contrib.admin',
 'django.contrib.humanize',
 'gunicorn',
 'auditlog',
 'dojo',
 'watson',
 'tagging',
 'imagekit',
 'multiselectfield',
 'rest_framework',
 'rest_framework.authtoken',
 'dbbackup',
 'django_celery_results',
 'social_django',
 'drf_yasg',
 'drf_spectacular',
 'tagulous',
 'django_prometheus')
Installed Middleware:
['django_prometheus.middleware.PrometheusBeforeMiddleware',
 'django.middleware.common.CommonMiddleware',
 'dojo.middleware.DojoSytemSettingsMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'dojo.middleware.LoginRequiredMiddleware',
 'social_django.middleware.SocialAuthExceptionMiddleware',
 'watson.middleware.SearchContextMiddleware',
 'auditlog.middleware.AuditlogMiddleware',
 'crum.CurrentRequestUserMiddleware',
 'dojo.request_cache.middleware.RequestCacheMiddleware',
 'django_prometheus.middleware.PrometheusAfterMiddleware']



Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/usr/local/lib/python3.8/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/oauth.py", line 401, in auth_complete
    return self.do_auth(response['access_token'], response=response,
  File "/usr/local/lib/python3.8/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/oauth.py", line 413, in do_auth
    return self.strategy.authenticate(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_django/strategy.py", line 105, in authenticate
    return authenticate(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/__init__.py", line 76, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 80, in authenticate
    return self.pipeline(pipeline, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 83, in pipeline
    out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/social_core/backends/base.py", line 113, in run_pipeline
    result = func(*args, **out) or {}
  File "/usr/local/lib/python3.8/site-packages/social_core/pipeline/social_auth.py", line 14, in auth_allowed
    raise AuthForbidden(backend)

Exception Type: AuthForbidden at /complete/google-oauth2/
Exception Value: Your credentials aren't allowed

Steps to reproduce Steps to reproduce the behavior:

  1. Enable debug mode
  2. Go to defectdojo login URL
  3. Click on Login with Google Button
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Deployment method (select with an X)

  • [ ] Docker Compose
  • [x] Kubernetes
  • [ ] GoDojo

Environment information

  • Operating System:
defectdojo@defectdojo-django-84767bf788-f8bf7:/app$ uname -a
Linux defectdojo-django-84767bf788-f8bf7 5.4.188+ #1 SMP Sun Apr 24 10:03:06 PDT 2022 x86_64 GNU/Linux
  • DefectDojo version: v. 2.13.1 ( release mode )

Logs Screen Shot 2022-08-22 at 20 22 29

Screenshots Google OAuth 2.0 scopes

Screen Shot 2022-08-22 at 19 56 14

Additional context (optional) Add any other context about the problem here.

franzramadhan avatar Aug 22 '22 13:08 franzramadhan

Might be related to following issues? 🤔

  • https://github.com/python-social-auth/social-app-django/issues/202#issuecomment-668754944
  • https://github.com/python-social-auth/social-app-django/issues/143#issuecomment-1124695313

franzramadhan avatar Aug 24 '22 03:08 franzramadhan

any updates? @franzramadhan did you resolve this somechance

samsbp avatar May 17 '23 11:05 samsbp

Have the same issue here, anyone lucky enough to solve it?

mharoonkwentra avatar Jul 03 '23 06:07 mharoonkwentra

In my case this happened with the Azure AD login after rotating the app registration secret.

All I had to do was restart the Django deployment:

kubectl rollout restart deployment defectdojo-django

I guess it needs to load the new secret.

moxli avatar Oct 05 '23 07:10 moxli

@samsbp still no luck until latest release

franzramadhan avatar Feb 02 '24 13:02 franzramadhan

@franzramadhan have you configure DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS ?

ref: https://github.com/DefectDojo/django-DefectDojo/blob/2.32.2/dojo/settings/settings.dist.py#L109

nuradhi avatar Mar 27 '24 09:03 nuradhi