OpenID Connect <https://openid.net/connect/> support for
.. image:: https://img.shields.io/pypi/v/flask-oidc.svg?style=flat :target: https://pypi.python.org/pypi/flask-oidc
.. image:: https://img.shields.io/pypi/dm/flask-oidc.svg?style=flat :target: https://pypi.python.org/pypi/flask-oidc
.. image:: https://readthedocs.org/projects/flask-oidc/badge/?version=latest :target: http://flask-oidc.readthedocs.io/en/latest/?badge=latest :alt: Documentation Status
.. image:: https://img.shields.io/travis/puiterwijk/flask-oidc.svg?style=flat :target: https://travis-ci.org/puiterwijk/flask-oidc
This library should work with any standards compliant OpenID Connect provider.
It has been tested with:
Google+ Login <https://developers.google.com/accounts/docs/OAuth2Login>_
This project is in active development.
I was able to bypass the decorated
@oidc.require_login on a function, leading to app crash of course as the function was trying to access grants from the id token.
Here is the stack trace:
[2022-12-20 14:38:59 +0000]  [ERROR] Error handling request /route
app | Traceback (most recent call last):
app | File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 136, in handle
app | self.handle_request(listener, req, client, addr)
app | File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 179, in handle_request
app | respiter = self.wsgi(environ, resp.start_response)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2548, in __call__
app | return self.wsgi_app(environ, start_response)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2528, in wsgi_app
app | response = self.handle_exception(e)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2525, in wsgi_app
app | response = self.full_dispatch_request()
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1822, in full_dispatch_request
app | rv = self.handle_user_exception(e)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request
app | rv = self.dispatch_request()
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request
app | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
app | File "/home/app/routes.py", line 252, in my_func
app | a_grant= oidc.user_getfield("a_grant")
app | File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 220, in user_getfield
app | info = self.user_getinfo([field], access_token)
app | File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 240, in user_getinfo
app | raise Exception('User was not authenticated')
app | Exception: User was not authenticated
Here is also the code:
To reproduce it just authenticate once and go on that route. It will display everything well. Then leave it open for a while. Not sure how much. I think just needs the id token to expire or something. Then refresh the page and you will see the exception
I'm using flask-oidc 1.4.0 on a resource server, and I have the following config settings set:
'SECRET_KEY': 'not a very secret key',
I expected my application to always verify that the "aud" parameter contained my client id, but it seems this check only happens if "aud" is actually present in the access token. If there is no "aud" field, the check does not seem to happen (and the request is allowed)?!
Is this the expected behavior? I was expecting the request would be rejected if "aud" was not present in the access token (similar to an invalid value).
Hi, I've requirement to my flask application should support keycloak multitanacy. It has to authenticate multi Relams. Is there any documents?
This PR fixes 2 issues I found when using flask-oidc pack.
SignatureExpired, this exception class is in the package but not imported.
pip -r requirements.txt, it gives an error while cloning the submodule. Changed the protocol of submodule from
httpssolves this issue.
The second issue only occurs when installing directly from GitHub. And users need the
master branch on GitHub as it fixes issues which block usual auth action and always return
401 Not Authorised
I ran into several issues while trying to use Windows 2019 ADFS as the OAuth2 Authentication Server for a Flask based app using the flask-oidc module. One of the primary issues is that token validation errors out because there is no introspection endpoint URL.
If anyone runs into similar problems with ADFS, I created a proof-of-concept personal fork that supports Windows 2019 ADFS https://github.com/fabianlee/flask-oidc
I did not create a pull request because I did not do regression tests against the other supported Authentication servers (Google and Ipsilon), but it creates a good starting point for someone wanting this enhancement.
Goran Rakic (1): Allow override of secrets loading
Patrick Uiterwijk (10): Make error strings returned by validate_token have bool() as False Fix using the correct token_type_hint value Make cookie path configurable Validate that the openid scope is always requested Encode state with base64 Correctly encode Also encode for py3 Make it possible to get access token and refresh token Also test on py3.5 and 3.6 Release v1.2
Rusox89 (1): split does not take arguments
This adds the documentation in the release.