[SOLVED] Python OIDC client and Shibboleth Idp with OIDC plugin
Julien Cochennec
julien.cochennec at ac-orleans-tours.fr
Wed Nov 25 15:39:12 UTC 2020
Hi, we found the problem.
We had to put the "token_endpoint_auth_method" attribute in the
ClientMetadata declaration, like this :
pc = ProviderConfiguration(
issuer=app.config['OIDC_ISSUER'],
# provider_metadata=pmd,
userinfo_http_method=app.config['OIDC_USERINFO_HTTP_METHOD'],
client_metadata=ClientMetadata(
client_id=app.config['OIDC_CLIENT_ID'],
client_secret=app.config['OIDC_CLIENT_SECRET'],
token_endpoint_auth_method='client_secret_post'
),
auth_request_params={
'scope':app.config['OIDC_SCOPES']
}
)
We had to dig in the code to find that.
Adding this in the documentation of Flask-PyOIDC would have been a time
saver for us so we are going to suggest that.
Thank you all for your advice.
Le 24/11/2020 à 10:10, Julien Cochennec a écrit :
>
> Hi,
>
> Interesting, we switched to Flask-PyOIDC on another branch, and a
> problem still happens, but further.
>
> That lib seems more clearly coded, more standard, but has very few
> documentation.
>
> Anyway, here's what happens now.
>
> The auth decorator works and redirect to the login page, but then,
> after login, we always get
>
> > Something went wrong with the authentication, please try to login
> again.
>
> I fear it may be related to this post
> https://shibboleth.1660669.n2.nabble.com/OIDC-extension-OAuth2-client-authentication-error-td7643243.html
>
> Were a member of this list says :
>
> > The problem was, in fact, that they weren't including the HTTP
> authentication header to do HTTP basic auth.
>
> > They added this, and it fixed the problem. Those for the post
> endpoint information, though. That could come in handy in the future.
>
> More info about that :
>
> The idp logs
>
> |> 2020-11-23 14:38:19,281 - 212.47.237.47 - WARN
> [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:203]
> - Profile Action ValidateEndpointAuthentication: Unrecognized client
> authentication com.nimbusds.oauth2.sdk.auth.ClientSecretBasic at 15d10d97
> for client_secret_post|
>
> My code (maybe wrong, I just discovered that lib, commented code are
> for last test)
>
> pmd = ProviderMetadata(
> issuer=app.config['OIDC_ISSUER'],
> authorization_endpoint=app.config['OIDC_AUTH_URI'],
> token_endpoint=app.config['OIDC_TOKEN_URI'],
> userinfo_endpoint=app.config['OIDC_USERINFO_URI']
> )
>
> pc = ProviderConfiguration(
> issuer=app.config['OIDC_ISSUER'],
> # provider_metadata=pmd,
> userinfo_http_method=app.config['OIDC_USERINFO_HTTP_METHOD'],
> client_metadata=ClientMetadata(
> client_id=app.config['OIDC_CLIENT_ID'],
> client_secret=app.config['OIDC_CLIENT_SECRET']
> ),
> auth_request_params={
> 'scope':app.config['OIDC_SCOPES']
> }
> )
>
> auth = OIDCAuthentication({'default':pc},app)
>
>
> Thanks for your help. Have a nice day.
>
>
> Le 19/11/2020 à 10:05, Peter Schober a écrit :
>> * Julien COCHENNEC<julien.cochennec at ac-orleans-tours.fr> [2020-11-18 21:23]:
>>> We're testing a Python client that is developed with Flask (web
>>> microframework) and Flask-OIDC (OIDC add-on with oauth-client lib
>>> embedded).
>> No comment on your current issue but given that pyoidc is an OIDC
>> reference implementation (AFAIR) why not use Flask-pyoidc then?
>> https://pypi.org/project/Flask-pyoidc/
>>
>> -peter
> --
> Julien Cochennec
> Pôle de compétences - gestion des identités
>
> Méljulien.cochennec at ac-orleans-tours.fr
> Tél 02 38 83 48 88
>
> DSI - Rectorat d'Orléans-Tours
> 10 Rue Molière
> 45000 Orléans
> www.ac-orleans-tours.fr
>
--
Julien Cochennec
Pôle de compétences - gestion des identités
Mél julien.cochennec at ac-orleans-tours.fr
Tél 02 38 83 48 88
DSI - Rectorat d'Orléans-Tours
10 Rue Molière
45000 Orléans
www.ac-orleans-tours.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201125/815df71c/attachment.htm>
More information about the users
mailing list