Django google-auth-oauthlib insecure_transport error on Cloud Workstations despite HTTPS and SECURE_PROXY_SSL_HEADER

I'm developing a Django application on Firebase Studio environment. I'm trying to implement Google OAuth 2.0 for my users (doctors) to connect their Google Calendar accounts using the google-auth-oauthlib library.

The application is accessed via the public HTTPS URL provided by Firebase (e.g., https://8000-firebase-onlinearsts-...cloudworkstations.dev).

I've configured my Google Cloud Project, enabled the Calendar API, set up the OAuth consent screen, and created an OAuth 2.0 Client ID for a Web application with the correct https:// Authorized redirect URI (https://8000-firebase-onlinearsts-1753264806380.cluster-3gc7bglotjgwuxlqpiut7yyqt4.cloudworkstations.dev/accounts/google/callback/).

However, when my Django application's OAuth callback view (accounts.views.google_oauth_callback) attempts to exchange the authorization code for tokens using flow.fetch_token(), I get the following error:

Google Authentication Error An error occurred during the Google authentication process.

Error details: Error during OAuth exchange: (insecure_transport) OAuth 2 MUST utilize https.

I cannot understand why Im receiving this error if I am utilizing https.

mysite/mysite/settings.py:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

# Google API Settings
GOOGLE_CLIENT_ID = '...'
GOOGLE_CLIENT_SECRET = '...'
GOOGLE_REDIRECT_URI = 'https://8000-firebase-onlinearsts-1753264806380.cluster-3gc7bglotjgwuxlqpiut7yyqt4.cloudworkstations.dev/accounts/google/callback/' # Matches Google Cloud Console

GOOGLE_CALENDAR_SCOPES = [
    'https://www.googleapis.com/auth/calendar.events',
    'https://www.googleapis.com/auth/calendar.readonly',
    'https://www.googleapis.com/auth/calendar',
]

To investigate why the insecure_transport error persists, I added debugging print statements to my callback view (accounts.views.google_oauth_callback) to inspect the incoming request headers and properties:

accounts/views.py:

@login_required
def google_oauth_callback(request):

    flow = get_flow(request) # get_flow sets redirect_uri using settings.GOOGLE_REDIRECT_URI

    try:
        # --- DEBUGGING CODE ---
        print("\n--- Full Request META ---")
        for key, value in sorted(request.META.items()):
            print(f"{key}: {value}")
        print("-------------------------\n")
        print(f"request.is_secure(): {request.is_secure()}")
        print(f"request.scheme: {request.scheme}")
        print(f"request.META.get('HTTP_X_FORWARDED_PROTO'): {request.META.get('HTTP_X_FORWARDED_PROTO')}")
        print(f"request.META.get('wsgi.url_scheme'): {request.META.get('wsgi.url_scheme')}")
        print("----------------------------------\n")
        # --- END DEBUGGING CODE ---

        # Error occurs on the next line
        flow.fetch_token(authorization_response=request.build_absolute_uri())

        # ... (token saving logic) ...

    except Exception as e:
        print(f"Error during OAuth exchange: {e}")
        import traceback
        traceback.print_exc()
        return render(request, 'accounts/google_auth_error.html', {'error': f'Error during OAuth exchange: {e}'})

The output (main) from the debugging statements in the terminal is:

--- Full Request META ---
HTTP_HOST: 127.0.0.1:8000
HTTP_REFERER: https://accounts.google.com/
HTTP_X_FORWARDED_HOST: 8000-firebase-onlinearsts-1753264806380.cluster-3gc7bglotjgwuxlqpiut7yyqt4.cloudworkstations.dev
wsgi.url_scheme: http
-------------------------

request.is_secure(): False
request.scheme: http
request.META.get('HTTP_X_FORWARDED_PROTO'): None
request.META.get('wsgi.url_scheme'): http
----------------------------------

Error during OAuth exchange: (insecure_transport) OAuth 2 MUST utilize https.

I cannot understand why the request is via http and not https that leads to the error message that I described above? Any ideas what Im doing wrong here?

Thanks,

Вернуться на верх