Invalid request state: oauth2 flask

问题

I am using the following code for authentication using oauth 2.0

oauth2.init_app(
    app,
    scopes=['email', 'profile'],
    authorize_callback=_request_user_info)

The route is as follows

@app.route('/')
@oauth2.required
def hello():
    """Return a friendly HTTP greeting."""
    return 'Hello ' + session['profile']['displayName']

The auth callback method

def _request_user_info(credentials):
    """
    Makes an HTTP request to the Google+ API to retrieve the user's basic
    profile information, including full name and photo, and stores it in the
    Flask session.
    """
    http = httplib2.Http()
    credentials.authorize(http)
    resp, content = http.request(
        'https://www.googleapis.com/plus/v1/people/me')

    if resp.status != 200:
        current_app.logger.error(
            "Error while obtaining user profile: %s" % resp)
        return None

    session['profile'] = json.loads(content)

I can see the consent screen and then after that there are too many redirects. The logs shows the following.

NFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:21] "GET / HTTP/1.1" 302 -
INFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:21] "GET /oauth2authorize?scopes=profile&scopes=email&return_url=http%3A%2F%2F127.0.0.1%3A8080%2F HTTP/1.1" 302 -
INFO:oauth2client.client:Successfully retrieved access token
INFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:27] "GET /oauth2callback?state=%7B%22csrf_token%22:+%22aa7d28d2496c0e0714eac20b902c1e4db21677d333a837d743525a9696d6c976%22,+%22return_url%22:+%22http://127.0.0.1:8080/%22%7D&code=4/Kz1xkENjHrTzLphfEG8CGND7tkeGXxjIffZxMwSr_hU HTTP/1.1" 302 -
INFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:27] "GET / HTTP/1.1" 302 -
INFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:27] "GET /oauth2authorize?scopes=profile&scopes=email&return_url=http%3A%2F%2F127.0.0.1%3A8080%2F HTTP/1.1" 302 -
INFO:oauth2client.client:Received token response with no refresh_token. Consider reauthenticating with approval_prompt='force'.
INFO:oauth2client.client:Successfully retrieved access token
INFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:28] "GET /oauth2callback?state=%7B%22csrf_token%22:+%22862efe9c1803e12c5c1323b5f68d8bbf185ba89d5d46268924ac527d3dca886c%22,+%22return_url%22:+%22http://127.0.0.1:8080/%22%7D&code=4/nU8o3y3zslgd9KVXJ_NDtzJUZfABeF6ka4IbYSiGKcs HTTP/1.1" 302 -
INFO:werkzeug:127.0.0.1 - - [10/Apr/2016 15:25:28] "GET / HTTP/1.1" 302 -

Eventually I see a page with the words. Invalid request state

回答1:

This can happen when the cookie session grows to large and the new CSRF token can't be saved to the session. Can you check the cookie sizes in your responses?

We fixed part of this problem with oauth2client 2.0.2, but if you're still experiencing it with that version I'd like to get some more info.

We do highly recommend using a database-backed session such as memcache/redis instead of cookies.

来源：https://stackoverflow.com/questions/36526212/invalid-request-state-oauth2-flask