Python Django-使用Google oauth2进行CSRF验证失败
我按照谷歌教程登录后端服务器并进行身份验证,我最终要做的是将对应用程序的访问限制为只访问带有公司域名的电子邮件。 我认为问题在于javascript:Python Django-使用Google oauth2进行CSRF验证失败,python,django,google-api,csrf,google-oauth,Python,Django,Google Api,Csrf,Google Oauth,我按照谷歌教程登录后端服务器并进行身份验证,我最终要做的是将对应用程序的访问限制为只访问带有公司域名的电子邮件。 我认为问题在于javascript: function onSignIn(googleUser) { // Useful data for your client-side scripts: var profile = googleUser.getBasicProfile(); console.log("ID: " + profile.getId());
function onSignIn(googleUser) {
// Useful data for your client-side scripts:
var profile = googleUser.getBasicProfile();
console.log("ID: " + profile.getId()); // Don't send this directly to your server!
console.log('Full Name: ' + profile.getName());
console.log('Given Name: ' + profile.getGivenName());
console.log('Family Name: ' + profile.getFamilyName());
console.log("Image URL: " + profile.getImageUrl());
console.log("Email: " + profile.getEmail());
// The ID token you need to pass to your backend:
var id_token = googleUser.getAuthResponse().id_token;
console.log("ID Token: " + id_token);
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://yourbackend.example.com/tokensignin');
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onload = function() {
console.log('Signed in as: ' + xhr.responseText);
};
xhr.send('idtoken=' + id_token);
};
下面是python部分:
def autenticar_usuario(request):
# (Receive token by HTTPS POST)
CLIENT_ID="CLIENT_ID"
APPS_DOMAIN_NAME='example.com'
if request.method == 'POST':
token = request.POST["idtoken"]
try:
idinfo = client.verify_id_token(token, CLIENT_ID)
# If multiple clients access the backend server:
if idinfo['aud'] not in [CLIENT_ID]:
raise crypt.AppIdentityError("Unrecognized client.")
if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
raise crypt.AppIdentityError("Wrong issuer.")
if idinfo['hd'] != APPS_DOMAIN_NAME:
raise crypt.AppIdentityError("Wrong hosted domain.")
except crypt.AppIdentityError:
# Invalid token
userid = idinfo['sub']
return render(request, 'log_in.html')
错误是这样的:
“CSRF验证失败。请求已中止。'
html:
登录
函数onSignIn(谷歌用户){
//客户端脚本的有用数据:
var profile=googleUser.getBasicProfile();
console.log(“ID:+profile.getId());//不要直接将其发送到服务器!
log('Full Name:'+profile.getName());
log('给定名称:'+profile.getGivenName());
console.log('Family Name:'+profile.getFamilyName());
log(“图像URL:+profile.getImageUrl());
log(“Email:+profile.getEmail());
//需要传递到后端的ID令牌:
var id_token=googleUser.getAuthResponse().id_token;
日志(“ID令牌:+ID_令牌”);
var xhr=new XMLHttpRequest();
xhr.open('POST','https://yourbackend.example.com/tokensignin');
setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.onload=函数(){
log('Signed-in-as:'+xhr.responseText);
};
send('idtoken='+id_token);
};
向我们展示包含登录表单的html页面模板。@johngordony您没有在表单提交过程中发送CSRF令牌。我尝试修改:xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');到xhr.setRequestHeader(“X-CSRFToken”,CSRFToken);你知道如何正确使用它们吗@Johngordon实际上您正在发送令牌;我以为它会被叫做别的东西。我的错误。显示包含登录表单的html页面模板。就是这样@johngordony您没有在表单提交中发送CSRF令牌。我尝试修改:xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');到xhr.setRequestHeader(“X-CSRFToken”,CSRFToken);你知道如何正确使用它们吗@Johngordon实际上您正在发送令牌;我以为它会被叫做别的东西。我的错误。
<!DOCTYPE html>
<html >
<head>
<meta charset="UTF-8">
<title>Log In</title>
</head>
<body>
<meta name="google-signin-client_id" content="">
<div class="g-signin2" data-onsuccess="onSignIn"></div>
<script>
function onSignIn(googleUser) {
// Useful data for your client-side scripts:
var profile = googleUser.getBasicProfile();
console.log("ID: " + profile.getId()); // Don't send this directly to your server!
console.log('Full Name: ' + profile.getName());
console.log('Given Name: ' + profile.getGivenName());
console.log('Family Name: ' + profile.getFamilyName());
console.log("Image URL: " + profile.getImageUrl());
console.log("Email: " + profile.getEmail());
// The ID token you need to pass to your backend:
var id_token = googleUser.getAuthResponse().id_token;
console.log("ID Token: " + id_token);
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://yourbackend.example.com/tokensignin');
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onload = function() {
console.log('Signed in as: ' + xhr.responseText);
};
xhr.send('idtoken=' + id_token);
};
</script>
<script src="https://apis.google.com/js/platform.js" async defer></script>
</body>