oauthlib.oauth2.rfc6749.errors.MismatchingStateError: (mismatching_state) CSRF Warning! State not equal in request and response.

[cwilko]

Please answer these questions before submitting your issue. Thanks!

What version of Python are you using (python -V)?

Tried 3.6 and 3.9

What operating system and processor architecture are you using (python -c 'import platform; print(platform.uname());')?

Ubuntu

Which Python packages do you have installed (run the pip freeze or pip3 freeze command and paste output)?

Only those in requirements.txt from arlo repo

What did you do?

When i run the gmail_oauth.py script, and approve permissions in the browser, the script fails with the following stack:

Traceback (most recent call last):
  File "/home/cwilkin/Development/repos/arlo/gmail_oauth.py", line 20, in <module>
    credentials = flow.run_local_server(host='localhost',
  File "/home/cwilkin/Development/anaconda/envs/test/lib/python3.9/site-packages/google_auth_oauthlib/flow.py", line 521, in run_local_server
    self.fetch_token(authorization_response=authorization_response)
  File "/home/cwilkin/Development/anaconda/envs/test/lib/python3.9/site-packages/google_auth_oauthlib/flow.py", line 300, in fetch_token
    return self.oauth2session.fetch_token(self.client_config["token_uri"], **kwargs)
  File "/home/cwilkin/Development/anaconda/envs/test/lib/python3.9/site-packages/requests_oauthlib/oauth2_session.py", line 244, in fetch_token
    self._client.parse_request_uri_response(
  File "/home/cwilkin/Development/anaconda/envs/test/lib/python3.9/site-packages/oauthlib/oauth2/rfc6749/clients/web_application.py", line 220, in parse_request_uri_response
    response = parse_authorization_code_response(uri, state=state)
  File "/home/cwilkin/Development/anaconda/envs/test/lib/python3.9/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 278, in parse_authorization_code_response
    raise MismatchingStateError()
oauthlib.oauth2.rfc6749.errors.MismatchingStateError: (mismatching_state) CSRF Warning! State not equal in request and response.

What did you expect to see?

A generated credentials file

What did you see instead?

Does this issue reproduce with the latest release?

Seen on master

[cwilko]

I've managed to progress, but this is an issue if you decide to copy and paste the authorization url that is output via the following parameter authorization_prompt_message='Please visit this URL: {}'.format(authorization_url)

flow.run_local_server() generates a new authorization url internally which does not match the one output in the above prompt. The difference is the content of the state parameter.

I`m not sure how to fix this... might be best to remove the prompt and just rely on the page opened by the browser.

[lockieluke]

how did you manage to fix login?

[lockieluke]

ok you can't rely on the url it prints, you'll have to use the url the script automatically opens