Home » Django » HTTPError 403 (Forbidden) with Django and python-social-auth connecting to Google with OAuth2

HTTPError 403 (Forbidden) with Django and python-social-auth connecting to Google with OAuth2

Posted by: admin November 30, 2017 Leave a comment

Questions:

Using python-social-auth, I get a 403: Forbiden error message after accepting access from google

EDIT: I’ve recently (2017) had the same error but under a new message: 401 Client Error: Unauthorized for url: https://accounts.google.com/o/oauth2/token

Answers:

You need to add the Google+ API to the list of enabled APIs on the Google Developer Console (under APIs)

Note: If you want to see the real error message, use the traceback to look at the content of the response variable (response.text). I use werkzeug for that (django-extensions + python manage.py runserver_plus).

Questions:
Answers:

Thanks also. I was using this python-social-auth tutorial by art and logic, but couldn’t get past a 403: Forbidden HTTPError at /complete/google-oauth2/ until enabling Google+ API as above and waiting for a few minutes for Google to enable it.

Additionally, I had to place the templates in a template directory and set
TEMPLATE_DIRS = ('/path/to/psa_test/thirdauth/templates/',)in settings.py.

Hope this helps someone along the way. All in all, it’s taken about 6 hours to figure it out. Not too bad, I’m happy.

Questions:
Answers:

For me I was using the full-URI scope which is deprecated by Google from Sept 1, 2014, this is mentioned in python-social-auth documentation here

http://psa.matiasaguirre.net/docs/backends/google.html#google-oauth2

Google is deprecating the full-url scopes from Sept 1, 2014 in favor of Google+ API and the recently introduced shorter scopes names. But python-social-auth already introduced the scopes change at e3525187 which was released at v0.1.24.

However if you don’t want to Enable the Google+ API for any reason and want to continue working with the full-uri old scope you need to follow the steps mentioned in the same link:

# Google OAuth2 (google-oauth2)
SOCIAL_AUTH_GOOGLE_OAUTH2_IGNORE_DEFAULT_SCOPE = True
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile'
]

# Google+ SignIn (google-plus)
SOCIAL_AUTH_GOOGLE_PLUS_IGNORE_DEFAULT_SCOPE = True
SOCIAL_AUTH_GOOGLE_PLUS_SCOPE = [
'https://www.googleapis.com/auth/plus.login',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile'
]

SOCIAL_AUTH_GOOGLE_OAUTH2_USE_DEPRECATED_API = True
SOCIAL_AUTH_GOOGLE_PLUS_USE_DEPRECATED_API = True

This worked for me as I didn’t want to enable the Google+ API at this point.