Python OIDC client and Shibboleth Idp with OIDC plugin

Wed Nov 18 20:30:17 UTC 2020

Oh BTW I forgot to mention I found the same message almost here https://shibboleth.1660669.n2.nabble.com/unwrapped-data-has-expired-td7621954.html
I was not sure it could be related.

Le 18/11/20, Julien COCHENNEC  <julien.cochennec at ac-orleans-tours.fr> a écrit :
> Hi,
> We're testing a Python client that is developed with Flask (web microframework) and Flask-OIDC (OIDC add-on with oauth-client lib embedded).
> We're trying to make it work, the client ask for a authorization code, the response looks "wrong", the add-on displays "Not Authorized".
> Not expecting a complete solution, any lead would be appreciated, thanks.
> I'm aware that it is a OIDC plugin question more than a Shibboleth question, but I'm totally clueless here.
> Have a nice day.
> 
> 
> 
> A - On the idp side, we have this :
> 
> 
>  2020-11-18 00:23:07,119 - 212.47.237.47 - ERROR [org.geant.idpextension.oidc.profile.impl.ValidateGrant:177] - Profile Action ValidateGrant: Obtaining authz code failed Unwrapped data has expired
>  2020-11-18 00:23:07,122 - 212.47.237.47 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidGrant
>  
> 
> 
> B - And in the client logs we have errors like this (sorry for the time not corresponding, logs are a mess) :
> 
> 
>  1) Invalid Grant error :
> 
> 
>  File "/opt/conda/envs/b3desk/lib/python3.7/site-packages/oauth2client/client.py(http://client.py)", line 2089, in step2_exchange raise FlowExchangeError(error_msg) oauth2client.client.FlowExchangeError: invalid_grantInvalid grant
> 
> 
> 
>  
>  2) Strange error on Cookie, already happened with Flask https://github.com/olipo186/Git-Auto-Deploy/issues/221 could be an attack but I'd like to know if it rings a bell to any of you :
> 
> 
> 
>  Invalid request from ip=185.202.2.147: Invalid HTTP request line: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr'
> 
> 
> 
>  
>  3) 401 Error (replaced server name with ***) :
>  
>  
>  HTTP/1.1" 401 14 "https://******/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29(https://extranet.ac-versailles.fr/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29)" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
> 
> 
> 
> 
> 
> 
> 
>  
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201118/605e0eb5/attachment.htm>