Reputation: 472
Flask OIDC: oauth2client.client.FlowExchangeError
The Problem:
The library flask-oidc includes the scope parameter into the authorization-code/access-token exchange request, which unsurprisingly throws the following error:
oauth2client.client.FlowExchangeError: invalid_request Scope parameter is not supported on an authorization code access_token exchange request. Scope parameter should be supplied to the authorized request.
The Question:
Is this a configuration problem or a library problem?
My Configurations:
- Flask Application:
app.config.update({
'DEBUG': True,
'TESTING': True,
'SECRET_KEY': 'secret',
'SERVER_NAME' : 'flask.example.com:8000',
'OIDC_COOKIE_SECURE': False,
'OIDC_REQUIRE_VERIFIED_EMAIL': False,
'OIDC_CALLBACK_ROUTE': '/oidc/callback',
'OIDC_CLIENT_SECRETS': 'client_secrets.json'
})
oidc = OpenIDConnect(app)
- client_secrets.json
{
"web": {
"auth_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/authorize",
"issuer": "http://openam.example.com:8080/openam/oauth2/realms/root/",
"userinfo_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/userinfo",
"client_id": "MyClientID",
"client_secret": "password",
"redirect_uris": [
"http://flask.example.com:8000/oidc/callback"
],
"token_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/token",
"token_introspection_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/introspect"
}
}
- Access Manager
For the access manager I use OpenAM. I configured an OpenAM client agent as follows:
- Client ID =
MyClientID - Client Secret =
password - Response Type =
code - Token Endpoint Authentication Method =
client_secret_post - Redirect URI =
http://flask.example.com:8000/oidc/callback
Context: I use flask-oidc for the logic on the application side and OpenAM for the identity and access management - both applications run in docker containers. When using simple curl commands I can retrieve an authorization grant as well as an authentication token (grant type: Authorization Code Grant). However, using the mentioned library, after logging in to OpenAM and granting authorization to the application (endpoint 'oauth2/authorize'), flask-oidc sends the following GET request:
GET /oidc/callback?code=<some code> \
&scope=openid%20email \
&iss=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2 \
&state=<some state> \
&client_id=MyClientID
Which leads to the error mentioned above.
Upvotes: 7
Views: 1525
Answers (1)
Reputation: 1254
While this does not directly answer the question, the best answer I could find was to use pyJWT or oauthlib instead of using flask-oidc. I found pyjwt was very straightforward in most respects, and there is an excellent tutorial here:
SSO Using Flask Request Oauthlib and pyjwt
I am not sure of this, but because the error is generated by oauth2client, not flask-oidc, it is possible the error is actually just related to the deprecated oathlib2clientlib.
There was a detailed request to mark the entire flask-oidc project as deprecated, but that request was made several years after the flask-oidc project was stopped being maintained. I hope one day flask will roove this link from their site because it is misleading to think that it is a main part of flask.
Upvotes: 2
Related Questions
- Flask OIDC user login is true but token is None
- FlowExchangeError thrown when getting access token OAuth via Google
- OIDC Provider Flask. Password Credentials Grant
- KeyError: 'oauth_state'
- lepture/Authlib Client Not Work for OAuth2 Authorization Code Flow
- Standard Python Auth0 project does not seem to authenticate
- Invalid request state: oauth2 flask
- oauth2 requests-oauthlib TypeError: prepare_request_uri() got multiple values for keyword argument 'scope'
- flask-oauthlib server doesn't play well with requests-oauthlib client
- Flask-OAuthlib "TypeError: sequence index must be integer, not 'str'"