Python OIDC client and Shibboleth Idp with OIDC plugin

Janne Lauros janne.lauros at csc.fi
Thu Nov 19 16:35:24 UTC 2020 

Hi, 

2020-11-18 00:23:07,119 - 212.47.237.47 - ERROR [org.geant.idpextension.oidc.profile.impl.ValidateGrant:177] - Profile Action ValidateGrant: Obtaining authz code failed Unwrapped data has expired 

Assuming Idp is otherwise healthy this implies that as your client performs the token request the authorization code has already expired. The default lifetime in the extension for it is 5 minutes. This should happen only if you are playing around with it, debugging and stuff. If that is not the case and you are returning freshly minted authorization code.. then it is something else ;-) 

BR Janne 


From: "Julien COCHENNEC" <julien.cochennec at ac-orleans-tours.fr> 
To: "Shib Users" <users at shibboleth.net> 
Sent: Wednesday, 18 November, 2020 22:30:17 
Subject: Re : Python OIDC client and Shibboleth Idp with OIDC plugin 

Oh BTW I forgot to mention I found the same message almost here https://shibboleth.1660669.n2.nabble.com/unwrapped-data-has-expired-td7621954.html 
I was not sure it could be related. 

Le 18/11/20, Julien COCHENNEC <julien.cochennec at ac-orleans-tours.fr> a écrit : 


Hi, 
We're testing a Python client that is developed with Flask (web microframework) and Flask-OIDC (OIDC add-on with oauth-client lib embedded). 
We're trying to make it work, the client ask for a authorization code, the response looks "wrong", the add-on displays "Not Authorized". 
Not expecting a complete solution, any lead would be appreciated, thanks. 
I'm aware that it is a OIDC plugin question more than a Shibboleth question, but I'm totally clueless here. 
Have a nice day. 

A - On the idp side, we have this : 

2020-11-18 00:23:07,119 - 212.47.237.47 - ERROR [org.geant.idpextension.oidc.profile.impl.ValidateGrant:177] - Profile Action ValidateGrant: Obtaining authz code failed Unwrapped data has expired 
2020-11-18 00:23:07,122 - 212.47.237.47 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidGrant 

B - And in the client logs we have errors like this (sorry for the time not corresponding, logs are a mess) : 

1) Invalid Grant error : 



File "/opt/conda/envs/b3desk/lib/python3.7/site-packages/oauth2client/ [ http://client.py/ | client.py ] ", line 2089, in step2_exchange raise FlowExchangeError(error_msg) oauth2client.client.FlowExchangeError: invalid_grantInvalid grant 




2) Strange error on Cookie, already happened with Flask https://github.com/olipo186/Git-Auto-Deploy/issues/221 could be an attack but I'd like to know if it rings a bell to any of you : 



Invalid request from ip=185.202.2.147: Invalid HTTP request line: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr' 




3) 401 Error (replaced server name with ***) : 


HTTP/1.1" 401 14 " [ https://extranet.ac-versailles.fr/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29 | https://******/sso/SSO?SAMLRequest=fVJba8IwFP4rJe%2B9r1qDLYgyEHYRK3vYW0yPGGiSLid17t8v6eYQJj4Fcr6T75Y5Mtn1dDHYo9rCxwBog7PsFFI%2FqMhgFNUMBVLFJCC1nDaL5yeaRQlliGCs0IpcrfT3d3qjrea6I8Hisr3UCgcJpgFzEhzWqoVzRRISrJwYoZjHVORobY80juFsDVNgI8bDExhkousAo4OJEXXcNK8kWK8qAiUv2rJ4mE1n5T7b7zln2YSlLJ8W07YoWodCHBwZWqZsRbIkS8I0DdPpLstpNqF5%2BU6CN0cwsjvppJ57f3TcM7U3eUB6HPZHleQ0jZJ5fD2f%2FwT74hJYrza6E%2FwreNRGMns%2FIH8j2vAwQqn3igKUdezx%2FxcvLL%2FNQTv26AK1LqZgqWXPjEBvQAol5CAvJq5xy84VuYVDfbdrTrnHueuNOz61aTeuSuCOdOdF9trY3wRuPn6Rf1Pq3%2FT6H9bf&RelayState=f5b0efa9645a6a81e5ed2c5e1d3e9f29 ] " "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" 






-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201119/a079edc5/attachment.htm>

More information about the users mailing list