Authlib 0.6+ does not work with Auth0 impersonation and Flask

Question

Auth0 impersonation directly calls the on success authentication callback URL skipping the initial step of authentication. This causes an issue because flask/client/OAuth.authorize_access_token(), which is called as part of the callback processing, requires the presence of the session variable _auth0_callback_ but this variable is not set because the only place it is set, flask/client/OAuth.authorize_redirect(), is not called in this situation.

We've added a hack to set the _auth0_callback_ session variable if it doesn't exist just before the call to flask/client/OAuth.authorize_access_token() but this doesn't seem right and I'm just wondering if we're doing something wrong.

We've also experienced a similar issue with the _auth0_state_ session variable but this might have been fixed in v0.7 that I'm testing now. We currently are using Authlib v0.6 in production.

Have raised this issue with Auth0 but have not had any response.

Any help appreciated, thx

UPDATE...

Looking deeper into Authlib it looks like that for the flask/client/OAuth.authorize_access_token() call the callback URL is not required in OAuth2Session.fetch_access_token() to fetch the token if the token is included in the authorisation response and it kind of makes sense that the access token is included in the authorisation response in the case of the impersonation - see OAuth2Session.fetch_access_token()#152. So maybe that authorisation response access token from Auth0 impersonation doesn't exist or is not being properly passed through...

Authlib 0.6+ does not work with Auth0 impersonation and Flask

Answers (1)

Related Questions