python social auth unregistered domain

Question

I am having difficulty using python-social-auth's implementation with Google.

The error I am receiving is 400: OpenID auth request contains an unregistered domain.

I have checked and rechecked and asked another developer to check the credentials for the project in the Google developers' console, and it all looks good.

I have used python-social-auth successfully in a past Django project, but this time around a solution to this escapes me.

The only differences (as far as I can tell) between this project and the last are:

This site is currently a subdomain (test.domain.com)
It is behind a Linode load balancer - the two application servers respond on static IPs to the balancer, nginx is configured for the doamin/subdomain, and my DNS records have been updated.

I am aware that Google is in the process of deprecating OpenID, but by settings are configured to use OAuth2:

AUTHENTICATION_BACKENDS = (
    'social.backends.open_id.OpenIdAuth',
    'social.backends.google.GoogleOAuth2',
    'social.backends.google.GoogleOAuth',
    'social.backends.google.GoogleOpenId',
    'social.backends.facebook.FacebookOAuth2',
    'django.contrib.auth.backends.ModelBackend',
    # custom password checker - migrating from old rails site, want to preserve old passwords
    'auth.authentication.legacy_hasher.LegacyCustomerAuthBackend',
)

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = os.environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_KEY', 'redacted-key')

SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = os.environ.get('SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET', 'redacted-key')

Is there something that I missed, or something that I failed to configure?

What's the domain sent? Is your balancer passing the host/protocol to your balanced nodes? — omab, Jul 25 '14 at 17:14
@omab: The nginx access logs say that the correct domain and protocol is being sent. Everything looks good as far as the server is concerned. Could this be an issue due to the OpenID deprecation? Is there something I could tweak in the auth pipeline? Also, +1M for the project maintainer checking in on this. — vforgione, Jul 25 '14 at 22:07
if the domain/protocol are OK and they are properly configured in the application in the ``Google Console``, then I don't know what's going on, I see a few similar reports on SO about that error, for instance http://stackoverflow.com/questions/23780039/mvc-google-login-openid-auth-request-contains-an-unregistered-domain. BTW, you can switch to ``Google OpenId Connect`` by changing your urls to ``/login/google-openidconnect`` and the settings to ``SOCIAL_AUTH_GOOGLE_OPENIDCONNECT_*``. — omab, Jul 27 '14 at 18:32
I'll give the OpenId Connect approach a shot and let you know what happens. I think this is more due to a poor transition in Google's auth system. — vforgione, Jul 28 '14 at 14:06

score 3 · Accepted Answer · answered Jul 28 '14 at 21:37

I completely overhauled my auth to make this work. It required no tweaks or forks or anything else of the sort. The issue is with Google and not python-social-auth. However, the docs need to be updated for the project to reflect the changes in Google and portray a recommended/tested strategy.

SOLUTION

The solution is in python-social-auth's issues under google+.

In the Google Developer Apps Console, make sure your have your project registered.
Under APIs, ensure your have Google+ activated.
Under Credentials, generate a new client id...
Ensure your domain/subdomain/port are all correct under the origin...
Ensure the callback/redirect uri is the same as the origin, plus /complete/google-oauth2/.
In your project's urls, make sure that you have social auth set up correctly.
Wherever you are putting the link in your templates, make sure you are using {% url 'social:begin' 'google-oauth2' %}

That should take care of it.

VISUAL AID

... can't post images, lack of cred... imgur links ahoy!

APIs and Credentials

apis and creds images

`urls.py`

url(r'^', include('social.apps.django_app.urls', namespace='social')),

`settings.py`

AUTHENTICATION_BACKENDS = (
    'social.backends.google.GoogleOAuth2',
    'social.backends.google.GooglePlusAuth',
    'django.contrib.auth.backends.ModelBackend',
)

MIDDLEWARE_CLASSES = (
    'django.middleware.gzip.GZipMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'social.apps.django_app.middleware.SocialAuthExceptionMiddleware',
)

TEMPLATE_CONTEXT_PROCESSORS = (
    'social.apps.django_app.context_processors.backends',
    'social.apps.django_app.context_processors.login_redirect',
    'django.contrib.auth.context_processors.auth',
)

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = os.environ.get(
    'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY',
    'some_stuff.apps.googleusercontent.com'
)

SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = os.environ.get(
    'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET',
    'secret'
)

templates

<div class="container">
  <a href="{% url 'social:begin' 'google-oauth2' %}">Login With Google</a>
</div>