OnyebuchiDeji commented on issue #34024:
URL: https://github.com/apache/airflow/issues/34024#issuecomment-4399086239
The issue was immediately fixed when I ran my development frontend using url
"127.0.0.1".
In my case using Google Console OAuth 2.0 App Clients for development, the
issue kept occuring because my frontend (NodeJS) was open on "localhost:5173"
and from this url, I was trying to perform the OAuth handshake. It continually
led to the "CSRF mismatch state not equal error". THe OAuth handshake was
handled by my backend (Flask), using Authlib oauth object. The issue was
immediately fixed when I ran my development frontend from "127.0.0.1:5173".
Now, the Authlib's OAuth functions (in my case 'authorize_redirect')
implicitely interprets "localhost" as "127.0.0.1" during its redirect; this
means in the Authorized JavaScript Origins (and the Authorized Redirect Urls
for consistency) of your OAuth Client(s), your dev urls must always have
"127.0.0.1". This is needed so that all other errors do not affect it.
Still, there are other considerations like for development using http, your
Flask App.config should have the settings:
SESSION_COOKIE_SAMESITE ='Lax', # Works and is better than 'None'
SESSION_COOKIE_SECURE= False, # Required for HTTP development
Now, following the previous paragraph's reasoning, the frontend starts the
OAuth handshake --- in my case, redirecting to the appropriate backend route
`.get("/google-login")`. Then in that route, the
`oauth.google.authorize_redirect(<your_redirect_uri>)` is called. After the
user finishes their Google Signin, Google should redirect back to
`<your_redirect_uri>`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
