The Problem:
The library flask-oidc includes the scope
parameter into the authorization-code/access-token exchange request, which unsurprisingly throws the following error:
oauth2client.client.FlowExchangeError: invalid_request Scope parameter is not supported on an authorization code access_token exchange request. Scope parameter should be supplied to the authorized request.
The Question:
Is this a configuration problem or a library problem?
My Configurations:
- Flask Application:
app.config.update({'DEBUG': True,'TESTING': True,'SECRET_KEY': 'secret','SERVER_NAME' : 'flask.example.com:8000','OIDC_COOKIE_SECURE': False,'OIDC_REQUIRE_VERIFIED_EMAIL': False,'OIDC_CALLBACK_ROUTE': '/oidc/callback','OIDC_CLIENT_SECRETS': 'client_secrets.json'
})
oidc = OpenIDConnect(app)
- client_secrets.json
{"web": {"auth_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/authorize","issuer": "http://openam.example.com:8080/openam/oauth2/realms/root/","userinfo_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/userinfo","client_id": "MyClientID","client_secret": "password","redirect_uris": ["http://flask.example.com:8000/oidc/callback"],"token_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/token","token_introspection_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/introspect"}
}
- Access Manager
For the access manager I use OpenAM. I configured an OpenAM client agent as follows:
- Client ID =
MyClientID
- Client Secret =
password
- Response Type =
code
- Token Endpoint Authentication Method =
client_secret_post
- Redirect URI =
http://flask.example.com:8000/oidc/callback
Context: I use flask-oidc for the logic on the application side and OpenAM for the identity and access management - both applications run in docker containers. When using simple curl commands I can retrieve an authorization grant as well as an authentication token (grant type: Authorization Code Grant). However, using the mentioned library, after logging in to OpenAM and granting authorization to the application (endpoint 'oauth2/authorize'), flask-oidc sends the following GET request:
GET /oidc/callback?code=<some code> \
&scope=openid%20email \
&iss=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2 \
&state=<some state> \
&client_id=MyClientID
Which leads to the error mentioned above.