Forums

flask with open-ids

I have a login problem with my app(namitkewat.pythonanywhere.com)! My code is based on (https://github.com/miguelgrinberg/microblog/archive/v0.12.zip). It is working fine with localhost but on your hosting, it's not. My app is using openid (from google,yahoo and myopenid). Earlier,just 1 day before, only google open id was working, rest two were not, but now all of them are not working. I saw there is a post(https://www.pythonanywhere.com/forums/topic/312/) related to that on your forum but that didn't helped me much. any idea how to resolve it?

Hi xbrlfinapp,

What are the symptoms of your problem? Free accounts do not have direct internet access and must connect via a proxy server which only allows connections to a whitelist of sites. This could be causing problems if your openid providers are not on that whitelist.

But google account based openid was working 2 days before? you can check access log as well or should i send that access log? and now all have stopped working. And their urls are: Google: https://www.google.com/accounts/o8/id, Yahoo: https://me.yahoo.com, MyOpenID: https://www.myopenid.com

I am moving my app from xbrlfinapp.pythonanywhere.com to namitkewat.pythonanywhere.com! Because this app is live.. i can't keep it in ideal. But the problem remains same.

Hi again, I've added myopenid to the whitelist. That change is live now.

You mention that it doesn't work but you haven't been able to share the symptoms. Are you getting an error message from somewhere? That information would be very helpful and might let me understand why it is broken and how to fix it.

Cheers

Problem is still there. I don't know what is happening; Source code of the website is at https://github.com/miguelgrinberg/microblog/archive/v0.12.zip. Similar kind of error was present in post(https://www.pythonanywhere.com/forums/topic/312/) where nothing happens when user clicks on these urls, and problem was resolved by increasing the request size. So does this applies here also?

I'd be quite surprised if the request size was a problem now that the limit is 32K - having very briefly tried the code locally, I only see requests of 4-6K. However, the URLs used seem to be quite massive - well over 1K in some cases. I wonder if PA has a configured limit on request URL size separate from the limit on request headers?

@xbrlfinapp: A friendly tip - just saying "it doesn't work" or even linking to another post isn't really very helpful. To get the best response, describe what you're doing which provokes the problem, what you expect to see when you do that and what you're seeing instead. If you don't describe exactly what the problem is, it's very hard for anybody to help. Don't assume you're seeing the same problem as another post, even if it looks similar, so it's still really important you explain what you're seeing in as much detail as you can.

OK. I have performed some experiments and here are the results:

  • In a free account, I created a web app from the flask-openid example. It needed some changes because it appears to be for an different version of flask-openid than the one that installs from pip.
  • I tried the three openid URLs that namitkewat.pythonanywhere.com uses. All of them failed.
  • I gave the free account unrestricted internet access and tried again. The Google openid URL worked, the YAHOO one failed and the MyOpenId worked.

So my conclusion is that there is an incompatibility between the proxy we use for free accounts and the openid library used by flask-openid. We've bumped into an issue like this before and it is not a simple fix. It's a complicated SSL-related issue in one of the base URL libraries in Python. It's very unlikely that we'll get a fix for it any time soon.

Yes, I remember the discussion of that issue at the time. I seem to remember the only solution would be to block via iptables rules rather than a proxy, although I can't remember if I ever actually suggested that or just thought of it. That does entail the effort of maintaining a list of IP addresses for the whitelisted hostnames, however, which is potentially a bit of a pain, and I guess it's hard to justify the effort when it only affects free accounts.

If you did decide to do that, don't forget to use getaddrinfo()! (^_^)

Hi guys, Have you corrected anything for the free accounts related to the open-id? I experience the same issue. Has it been corrected from the fee paying accounts? Thanks!

Paying accounts get direct access to the internet. So most things just work for them. We also offer a money back guarantee so you can try it and see if it fixes the problem.

Has there been any update to this issue in the last six months?

Is there any tracking for this issue, or is this the best place to look for updates?

I experiencing a similar problem; should I try upgrading to the paid account as a test?

For the record, I get a 403 error when my browser tries to hit this URL: http://rangevsrange.pythonanywhere.com/login/?next=http://rangevsrange.pythonanywhere.com/home&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2014-02-23T01%3A15%3A14Z9enAbocgbLt9LA&openid.return_to=http%3A%2F%2Frangevsrange.pythonanywhere.com%2Flogin%2F%3Fnext%3Dhttp%3A%2F%2Frangevsrange.pythonanywhere.com%2Fhome&openid.assoc_handle=1.AMlYA9VPNuSu_D8uGznXovWmossfSNUf-wfdNFN9N0jcLKvYk1SmQxAqwUVpQ3DM&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.firstname%2Cext1.value.firstname%2Cext1.type.lastname%2Cext1.value.lastname%2Cext1.type.language%2Cext1.value.language%2Cext1.type.email%2Cext1.value.email&openid.sig=Nu%2BEcbJbfo11eMerb2iRQJ6%2B2O0%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawnsk0QDCwo7kRa2tfXIakI19w_pZESHNgA&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawnsk0QDCwo7kRa2tfXIakI19w_pZESHNgA&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.firstname=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstname=Guy&openid.ext1.type.lastname=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastname=Upstairs&openid.ext1.type.language=http%3A%2F%2Faxschema.org%2Fpref%2Flanguage&openid.ext1.value.language=en&openid.ext1.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.email=rangevsrange%40gmail.com#

All I see on the error log is: 2014-02-23 01:15:08,843 :Starting new HTTPS connection (1): www.google.com

Access log shows my request and that the response is a 403. Server log also shows that www.google.com is being hit (or at least attempted, I guess).

I see (from the little gold star) that you've decided to upgrade -- let us know if it works ok now?

The 403 was my problem. The code was aborting with a 403 because it was failing to access the database upon login.

I got it working with an upgraded account. Then I downgraded again for comparison. Here are the results:

  • Flask-OpenID fails with a free account. I get a "The OpenID was invalid" error.
  • Flask-GoogleAuth succeeds with a free account.
  • Flask-OpenID succeeds with a paid account.
  • Flask-GoogleAuth succeeds with a paid account.

(Note that I am using Flask-GoogleAuth with a virtualenv, because it's not in the default package set.)

Any questions, let me know. I'm subscribed to this thread.

You can see my code at https://github.com/RangeVsRange/range-vs-range/. There's a main.py that uses Flask-GoogleAuth and a main_openid.py that uses Flask-OpenID. (As of commit d07ee4c673434abde47564244ce441a95c8a8bc5.)

Thanks for that analysis, rangevsrange. From previous investigations, there are some python url libraries that fail when they do SSL through a proxy and my suspicion is that the difference you see between the libraries on Free accounts is related to that.

[edit 2014-11-27: cf this issue on the python-openid project]