Python OIDC client and Shibboleth Idp with OIDC plugin

Julien Cochennec julien.cochennec at ac-orleans-tours.fr
Tue Nov 24 09:10:57 UTC 2020 

Hi,

Interesting, we switched to Flask-PyOIDC on another branch, and a 
problem still happens, but further.

That lib seems more clearly coded, more standard, but has very few 
documentation.

Anyway, here's what happens now.

The auth decorator works and redirect to the login page, but then, after 
login, we always get

 > Something went wrong with the authentication, please try to login again.

I fear it may be related to this post 
https://shibboleth.1660669.n2.nabble.com/OIDC-extension-OAuth2-client-authentication-error-td7643243.html

Were a member of this list says :

 > The problem was, in fact, that they weren't including the HTTP 
authentication header to do HTTP basic auth.

 > They added this, and it fixed the problem. Those for the post 
endpoint information, though. That could come in handy in the future.

More info about that :

The idp logs

|> 2020-11-23 14:38:19,281 - 212.47.237.47 - WARN 
[org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:203] 
- Profile Action ValidateEndpointAuthentication: Unrecognized client 
authentication com.nimbusds.oauth2.sdk.auth.ClientSecretBasic at 15d10d97 
for client_secret_post|

My code (maybe wrong, I just discovered that lib, commented code are for 
last test)

pmd  =  ProviderMetadata(
     issuer=app.config['OIDC_ISSUER'],
     authorization_endpoint=app.config['OIDC_AUTH_URI'],
     token_endpoint=app.config['OIDC_TOKEN_URI'],
     userinfo_endpoint=app.config['OIDC_USERINFO_URI']
)

pc  =  ProviderConfiguration(
     issuer=app.config['OIDC_ISSUER'],
     # provider_metadata=pmd,
     userinfo_http_method=app.config['OIDC_USERINFO_HTTP_METHOD'],
     client_metadata=ClientMetadata(
         client_id=app.config['OIDC_CLIENT_ID'],
         client_secret=app.config['OIDC_CLIENT_SECRET']
     ),
     auth_request_params={
         'scope':app.config['OIDC_SCOPES']
     }
)

auth  =  OIDCAuthentication({'default':pc},app)


Thanks for your help. Have a nice day.


Le 19/11/2020 à 10:05, Peter Schober a écrit :
> * Julien COCHENNEC <julien.cochennec at ac-orleans-tours.fr> [2020-11-18 21:23]:
>> We're testing a Python client that is developed with Flask (web
>> microframework) and Flask-OIDC (OIDC add-on with oauth-client lib
>> embedded).
> No comment on your current issue but given that pyoidc is an OIDC
> reference implementation (AFAIR) why not use Flask-pyoidc then?
> https://pypi.org/project/Flask-pyoidc/
>
> -peter

-- 
Julien Cochennec
Pôle de compétences - gestion des identités

Mél julien.cochennec at ac-orleans-tours.fr
Tél 02 38 83 48 88

DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201124/d1b6dab8/attachment.htm>

More information about the users mailing list