Python OIDC client and Shibboleth Idp with OIDC plugin

[Julien COCHENNEC]

Hi,
We're testing a Python client that is developed with Flask (web microframework) and Flask-OIDC (OIDC add-on with oauth-client lib embedded).
We're trying to make it work, the client ask for a authorization code, the response looks "wrong", the add-on displays "Not Authorized".
Not expecting a complete solution, any lead would be appreciated, thanks.
I'm aware that it is a OIDC plugin question more than a Shibboleth question, but I'm totally clueless here.
Have a nice day.



A - On the idp side, we have this :


 2020-11-18 00:23:07,119 - 212.47.237.47 - ERROR [org.geant.idpextension.oidc.profile.impl.ValidateGrant:177] - Profile Action ValidateGrant: Obtaining authz code failed Unwrapped data has expired
 2020-11-18 00:23:07,122 - 212.47.237.47 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidGrant
 


B - And in the client logs we have errors like this (sorry for the time not corresponding, logs are a mess) :


 1) Invalid Grant error :


 File "/opt/conda/envs/b3desk/lib/python3.7/site-packages/oauth2client/client.py(http://client.py)", line 2089, in step2_exchange raise FlowExchangeError(error_msg) oauth2client.client.FlowExchangeError: invalid_grantInvalid grant



 
 2) Strange error on Cookie, already happened with Flask https://github.com/olipo186/Git-Auto-Deploy/issues/221 could be an attack but I'd like to know if it rings a bell to any of you :



 Invalid request from ip=185.202.2.147: Invalid HTTP request line: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr'



 
 3) 401 Error (replaced server name with ***) :
 
 
 HTTP/1.1" 401 14 "https://******/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29(https://extranet.ac-versailles.fr/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29)" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201118/10916a55/attachment.htm>