Intermittently getting 'Unable to retrieve stored state!'

[fabito]

I'm using the Google OAUth2 provider and for some reason we are getting the error below intermittently:

authomatic: Google: Continuing OAuth 2.0 authorization procedure after redirect.
authomatic: Google: Validating request by comparing request state with stored state.
authomatic: Google: Reported suppressed exception: FailureError('Unable to retrieve stored state!',)!
authomatic: Google: Procedure finished.
 Error during authentication flow Unable to retrieve stored state!

See below how I'm initializing Webapp2Session:

session = Webapp2Session(self, session=self.session)

Any clue on what could be causing this ?

Thanks in advance
Fábio

[mudkipium]

I'm getting this for Facebook now—did you ever figure out how to fix this error?

[mickey06]

I'm also seeing this error on chrome vChrome/56.0.2924.87 with the build 0.1.0.post1

[mrichar1]

We have had a big overhaul of code with several PRs and other issues resolved. Please can you try this again with the latest code from master and let us know if the issue is still persists.

[alyoshark]

Hi @mrichar1 ,

Thank you so much for the awesome work!

I'm currently using the latest pull from Github master and am seeing similar error by the following Django code:

@require_http_methods(('GET',))
def login(request):
    response = HttpResponse()
    result = AUTHOMATIC.login(DjangoAdapter(request, response), 'google')
    if result and result.user:
        if not getattr(result.user, 'email', None):
            result.user.update()
            # Some customized AuthBackend stuff here
        response = HttpResponseRedirect('/')
    elif result and result.error:
        print(result.error)
        return HttpResponse('{"msg": "login-failed"}', status=401)
    return response

# printed error being:
> Unable to retrieve stored state!

Suspecting the handling of session is not quite updated with Django 1.11.2 which is the version we are using. I've added some random print-outs and it seems that the session was indeed set after _session_set but upon _session_get at phase 2 the session object becomes an empty dict.

The cookie is returned to the browser as Set-Cookie: authomatic=... with correct domain and path values though. Thank you very much!

[mrichar1]

Hi @xch91 - thanks for the extra info.

I've tried using google as a provider with the django example in the repo (after making some appropriate updates to get it working with django > 1.10 (#185).)

I can't seem to get it to fail in the way you describe - logins are always successful, and the _session_get('csrf') always returns an appropriate value.

Can you try using the example code to at least rule out any issues elsewhere in your code that I can't see? The only change you'll need to make (apart from applying #185 and creating an appropriate config.py) is to add google to the views - something like:

--- a/examples/django/example/simple/views.py
+++ b/examples/django/example/simple/views.py
@@ -13,7 +13,7 @@ authomatic = Authomatic(CONFIG, 'a super secret random string')
 def home(request):
     # Create links and OpenID form to the Login handler.
     return HttpResponse('''
-        Login with <a href="login/fb">Facebook</a>.<br />
+        Login with <a href="login/google">Google</a>.<br />
         Login with <a href="login/tw">Twitter</a>.<br />
         <form action="login/oi">
             <input type="text" name="id" value="me.yahoo.com" />

Thanks!

[alyoshark]

Hi @mrichar1 ,

That was a very prompt reply 👍

I tried to mimic something similar to the simple app as closely as possible (with no AUTHENTICATION_BACKENDS and tried both cache and signed_cookie as SESSION_ENGINE) but still seeing the same error. If I subclass oauth2.Google and explicitly disable supports_csrf_protection, it works unproductionly smoothly.

The simple app was also tried but it returns an 'Invalid Signature' error which I haven't dug deep into XDD

Thank you :)

[mrichar1]

Thanks for testing!

Invalid Signature: is raised when deserializing the cookie when getting data, if the returned signature doesn't match the one sent. This implies that something is interfering with the data coming and going between the app, the oauth provider and/or the browser.

Can you let me know what browser you are using for testing, and also try without any browser plugins or other add-ons enabled ('private browsing' mode is probably a good idea).

Can you also check that the time is correctly in sync on both the client where the browser is running, and the app server?

[alyoshark]

Argh!!! I tried another time with Opera Private mode and it worked XDD
What happened to my good old Chrome?!

Thank you so much for the million dollar suggestion. Will explore into the syndrome later.

[mrichar1]

@xch91 If you do find out the issue in the browser, please let us know so we can document/expect it.

[olivierpons]

Always develop in private mode. Otherwise try CTRL F5 to force full refresh.

[summerisgone]

@mrichar1 I experienced issues with Safari both on iOS and osx with Facebook-connect.

Update: We do use CORS API on different domain. And Safari doesn't support 3rd party cookies, with authomatic cookie as well.

[mrichar1]

After several years of inactivity, authomatic is now under community management, and we have just released a new stable version (1.0.0).

We are now reviewing all issues and PRs and hoping to begin work to solve as many of these as possible.

We are keen to find out which issues still apply, and which PRs are still required/are likely to merge cleanly into the current code. We are aiming to review them all, but any help with prioritisation would be very useful!

If you are still interested in having this issue/PR resolved, or are able to help us work on it, please reply to this message. That way we know which issues are most important to the community.