Django - 使用Google oauth2进行CSRF验证失败

Question

https://developers.google.com/identity/sign-in/web/backend-auth 我遵循谷歌教程登录并使用后端服务器进行身份验证，我最终尝试做的是将对应用程序的访问权限仅限于具有公司域名的电子邮件。 我认为问题出在javascript：

  function onSignIn(googleUser) {
    // Useful data for your client-side scripts:
    var profile = googleUser.getBasicProfile();
    console.log("ID: " + profile.getId()); // Don't send this directly to your server!
    console.log('Full Name: ' + profile.getName());
    console.log('Given Name: ' + profile.getGivenName());
    console.log('Family Name: ' + profile.getFamilyName());
    console.log("Image URL: " + profile.getImageUrl());
    console.log("Email: " + profile.getEmail());

    // The ID token you need to pass to your backend:
    var id_token = googleUser.getAuthResponse().id_token;
    console.log("ID Token: " + id_token);
    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'https://yourbackend.example.com/tokensignin');
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    xhr.onload = function() {
        console.log('Signed in as: ' + xhr.responseText);
    };
    xhr.send('idtoken=' + id_token);
  };

下面是python部分：

def autenticar_usuario(request):
# (Receive token by HTTPS POST)
CLIENT_ID="CLIENT_ID"
APPS_DOMAIN_NAME='example.com'
if request.method == 'POST':
    token = request.POST["idtoken"]
    try:
        idinfo = client.verify_id_token(token, CLIENT_ID)
        # If multiple clients access the backend server:
        if idinfo['aud'] not in [CLIENT_ID]:
            raise crypt.AppIdentityError("Unrecognized client.")
        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise crypt.AppIdentityError("Wrong issuer.")
        if idinfo['hd'] != APPS_DOMAIN_NAME:
            raise crypt.AppIdentityError("Wrong hosted domain.")
    except crypt.AppIdentityError:
        # Invalid token
        userid = idinfo['sub']
return render(request, 'log_in.html')

并且错误说： '

CSRF验证失败。请求中止。

' HTML：

    <!DOCTYPE html>
     <html >
      <head>
       <meta charset="UTF-8">
       <title>Log In</title>      
      </head>
      <body>
       <meta name="google-signin-client_id" content="">
       <div class="g-signin2" data-onsuccess="onSignIn"></div>
       <script>
         function onSignIn(googleUser) {
         // Useful data for your client-side scripts:
         var profile = googleUser.getBasicProfile();
         console.log("ID: " + profile.getId()); // Don't send this directly to your server!
         console.log('Full Name: ' + profile.getName());
         console.log('Given Name: ' + profile.getGivenName());
         console.log('Family Name: ' + profile.getFamilyName());
         console.log("Image URL: " + profile.getImageUrl());
         console.log("Email: " + profile.getEmail());

         // The ID token you need to pass to your backend:
         var id_token = googleUser.getAuthResponse().id_token;
         console.log("ID Token: " + id_token);
         var xhr = new XMLHttpRequest();
         xhr.open('POST', 'https://yourbackend.example.com/tokensignin');
         xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
         xhr.onload = function() {
            console.log('Signed in as: ' + xhr.responseText);
         };
         xhr.send('idtoken=' + id_token);
         };
       </script>
       <script src="https://apis.google.com/js/platform.js" async defer></script> 
    </body>