Python OIDC client and Shibboleth Idp with OIDC plugin

Julien COCHENNEC julien.cochennec at
Wed Nov 18 20:22:48 UTC 2020

We're testing a Python client that is developed with Flask (web microframework) and Flask-OIDC (OIDC add-on with oauth-client lib embedded).
We're trying to make it work, the client ask for a authorization code, the response looks "wrong", the add-on displays "Not Authorized".
Not expecting a complete solution, any lead would be appreciated, thanks.
I'm aware that it is a OIDC plugin question more than a Shibboleth question, but I'm totally clueless here.
Have a nice day.

A - On the idp side, we have this :

 2020-11-18 00:23:07,119 - - ERROR [org.geant.idpextension.oidc.profile.impl.ValidateGrant:177] - Profile Action ValidateGrant: Obtaining authz code failed Unwrapped data has expired
 2020-11-18 00:23:07,122 - - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidGrant

B - And in the client logs we have errors like this (sorry for the time not corresponding, logs are a mess) :

 1) Invalid Grant error :

 File "/opt/conda/envs/b3desk/lib/python3.7/site-packages/oauth2client/", line 2089, in step2_exchange raise FlowExchangeError(error_msg) oauth2client.client.FlowExchangeError: invalid_grantInvalid grant

 2) Strange error on Cookie, already happened with Flask could be an attack but I'd like to know if it rings a bell to any of you :

 Invalid request from ip= Invalid HTTP request line: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr'

 3) 401 Error (replaced server name with ***) :
 HTTP/1.1" 401 14 "https://******/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29(" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list