OpenID Connect support for Flask

puiterwijk, updated 🕥 2022-11-11 08:54:33

flask-oidc

OpenID Connect <https://openid.net/connect/> support for Flask <http://flask.pocoo.org/>.

.. image:: https://img.shields.io/pypi/v/flask-oidc.svg?style=flat :target: https://pypi.python.org/pypi/flask-oidc

.. image:: https://img.shields.io/pypi/dm/flask-oidc.svg?style=flat :target: https://pypi.python.org/pypi/flask-oidc

.. image:: https://readthedocs.org/projects/flask-oidc/badge/?version=latest :target: http://flask-oidc.readthedocs.io/en/latest/?badge=latest :alt: Documentation Status

.. image:: https://img.shields.io/travis/puiterwijk/flask-oidc.svg?style=flat :target: https://travis-ci.org/puiterwijk/flask-oidc

This library should work with any standards compliant OpenID Connect provider.

It has been tested with:

  • Google+ Login <https://developers.google.com/accounts/docs/OAuth2Login>_
  • Ipsilon <https://ipsilon-project.org/>_

Project status

This project is in active development.

Issues

Bypass of "require_login()" leads to application crash(obviously)

opened on 2022-12-20 14:57:31 by Panagiss

I was able to bypass the decorated @oidc.require_login on a function, leading to app crash of course as the function was trying to access grants from the id token. Here is the stack trace: [2022-12-20 14:38:59 +0000] [12] [ERROR] Error handling request /route app | Traceback (most recent call last): app | File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 136, in handle app | self.handle_request(listener, req, client, addr) app | File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 179, in handle_request app | respiter = self.wsgi(environ, resp.start_response) app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2548, in __call__ app | return self.wsgi_app(environ, start_response) app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2528, in wsgi_app app | response = self.handle_exception(e) app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2525, in wsgi_app app | response = self.full_dispatch_request() app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1822, in full_dispatch_request app | rv = self.handle_user_exception(e) app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request app | rv = self.dispatch_request() app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request app | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) app | File "/home/app/routes.py", line 252, in my_func app | a_grant= oidc.user_getfield("a_grant") app | File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 220, in user_getfield app | info = self.user_getinfo([field], access_token) app | File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 240, in user_getinfo app | raise Exception('User was not authenticated') app | Exception: User was not authenticated

Here is also the code: @oidc.require_login @app.route("/route", methods=["GET"]) def my_func(): a_grant= oidc.user_getfield("a_grant")

To reproduce it just authenticate once and go on that route. It will display everything well. Then leave it open for a while. Not sure how much. I think just needs the id token to expire or something. Then refresh the page and you will see the exception

Audience check ignored if no audience available in access token

opened on 2022-12-09 14:35:54 by rtheys

Hi,

I'm using flask-oidc 1.4.0 on a resource server, and I have the following config settings set:

app.config.update({ 'SECRET_KEY': 'not a very secret key', 'TESTING': True, 'DEBUG': True, 'OIDC_CLIENT_SECRETS': 'client_secrets.json', 'OIDC_RESOURCE_SERVER_ONLY': True, 'OIDC_RESOURCE_CHECK_AUD': True, })

I expected my application to always verify that the "aud" parameter contained my client id, but it seems this check only happens if "aud" is actually present in the access token. If there is no "aud" field, the check does not seem to happen (and the request is allowed)?!

Is this the expected behavior? I was expecting the request would be rejected if "aud" was not present in the access token (similar to an invalid value).

Regards, Rik

Flask oidc supports keycloak multi Relams

opened on 2022-12-03 19:23:06 by rahul149386

Hi, I've requirement to my flask application should support keycloak multitanacy. It has to authenticate multi Relams. Is there any documents?

fixing missing exception when signature expired and change submodule from git to https git

opened on 2022-11-11 08:54:32 by vicding-mi

This PR fixes 2 issues I found when using flask-oidc pack.

  1. When the token expires, it raise an exception of type SignatureExpired, this exception class is in the package but not imported.
  2. when installing flask-oidc from GitHub using pip -r requirements.txt, it gives an error while cloning the submodule. Changed the protocol of submodule from git to https solves this issue.

The second issue only occurs when installing directly from GitHub. And users need the master branch on GitHub as it fixes issues which block usual auth action and always return 401 Not Authorised

typo in sample code

opened on 2022-09-23 15:39:13 by setop None

Errors during token validation because ADFS does not support introspection URL

opened on 2022-09-06 15:52:51 by fabianlee

I ran into several issues while trying to use Windows 2019 ADFS as the OAuth2 Authentication Server for a Flask based app using the flask-oidc module. One of the primary issues is that token validation errors out because there is no introspection endpoint URL.

If anyone runs into similar problems with ADFS, I created a proof-of-concept personal fork that supports Windows 2019 ADFS https://github.com/fabianlee/flask-oidc

I did not create a pull request because I did not do regression tests against the other supported Authentication servers (Google and Ipsilon), but it creates a good starting point for someone wanting this enhancement.

Releases

v1.2.0 2017-09-27 19:39:43

Goran Rakic (1): Allow override of secrets loading

Patrick Uiterwijk (10): Make error strings returned by validate_token have bool() as False Fix using the correct token_type_hint value Make cookie path configurable Validate that the openid scope is always requested Encode state with base64 Correctly encode Also encode for py3 Make it possible to get access token and refresh token Also test on py3.5 and 3.6 Release v1.2

Rusox89 (1): split does not take arguments

v1.1.0 2017-02-08 11:12:27

  • Options added to modify callback and redirect URIs (Nik Voss)
  • Typo fix in import statement (Nick Coghlan)
  • HTTP error codes check during registration (Jeremy Cline)
  • Allow disabling of UserInfo (Paul Doronila)
  • Add configuration option for resource server only
  • Documentation for configuration options
  • Token validation separated to enable usage of resource server code without decorator

v1.0.1 2016-05-24 12:13:52

This adds the documentation in the release.

v1.0.0 2016-05-24 11:24:14

Patrick Uiterwijk

Vaguely Dutch security guy

GitHub Repository