英文:
Google OAuth CORS issue w/ flask-dance
问题
我正在设置一个flask-dance + flask-login项目,遇到了CORS问题。具体来说,我遵循了Google OAuth的标准flask-dance设置:
google_blueprint = make_google_blueprint(
client_id=constants.GOOGLE_CLIENT_ID,
client_secret=constants.GOOGLE_CLIENT_SECRET,
scope=["profile", "email"]
)
app.register_blueprint(google_blueprint, url_prefix="/b/google_login")
在前端,我发起了一个GET请求到{backend}::/b/google_login/google,但是出现了以下错误:
访问'https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A5001%2Fb%2Fgoogle_login%2Fgoogle%2Fauthorized&scope=profile+email&state=xxx'(重定向自'http://localhost:5001/b/google_login/google')来自' http://localhost:3000' 的请求已被CORS策略阻止:请求的资源上没有'Access-Control-Allow-Origin'标头。
我已经将重定向URI(即/b/google_login/google/authorized)添加到了重定向URI白名单中。我对这个错误发生的原因感到困惑 - 因为我正在通过我的服务器代理OAuth重定向。
当我尝试通过window.href = http://localhost:5001/b/google_login/google进行流程时,一切正常。
有人知道为什么会发生这种情况吗?
英文:
I am setting up a flask-dance + flask-login project and am having issues with CORS. Specifically, I follow the standard flask-dance setup for Google OAuth:
google_blueprint = make_google_blueprint(
client_id=constants.GOOGLE_CLIENT_ID,
client_secret=constants.GOOGLE_CLIENT_SECRET,
scope=["profile", "email"]
)
app.register_blueprint(google_blueprint, url_prefix="/b/google_login")
On the frontend, I make a GET request to {backend}::/b/google_login/google, but get the following error:
Access to XMLHttpRequest at 'https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A5001%2Fb%2Fgoogle_login%2Fgoogle%2Fauthorized&scope=profile+email&state=xxx' (redirected from 'http://localhost:5001/b/google_login/google')
from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I have added the redirect URI (i.e. /b/google_login/google/authorized to the redirect-URI whitelist). I am confused why this error is happening - as I am proxying the OAuth redirect through my server.
When I attempt the flow through window.href = http://localhost:5001/b/google_login/google - the flow works without issue.
Anyone have any idea why this is happening?
答案1
得分: 1
你可以调用CORS并通过你的Flask对象传递。正如评论中有些人指出的那样,这实际上非常粗糙和不安全,因为它将为你的整个应用启用CORS。
我在另一个应用程序上遇到了类似的问题,我需要在不同域之间传递一些数据,用于紧急警报系统。在我的情况下,我正在使用jsonpCallback和Ajax在不同域之间传递数据。
英文:
You could call CORS and pass your Flask object that way. It is as some in the comments have pointed out really janky and unsecure as it would enable CORS for your entire application.
I'm dealing with a similar issue on a different application where I'm passing some data between domains for an emergency alert system. In my case I'm using a jsonpCallback and Ajax to pass data between the domains.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论