The Problem:

The library flask-oidc includes the scope parameter into the authorization-code/access-token exchange request, which unsurprisingly throws the following error:

oauth2client.client.FlowExchangeError: invalid_request Scope parameter is not supported on an authorization code access_token exchange request. Scope parameter should be supplied to the authorized request.

The Question:

Is this a configuration problem or a library problem?

My Configurations:

• Flask Application:

app.config.update({'DEBUG': True,'TESTING': True,'SECRET_KEY': 'secret','SERVER_NAME' : 'flask.example.com:8000','OIDC_COOKIE_SECURE': False,'OIDC_REQUIRE_VERIFIED_EMAIL': False,'OIDC_CALLBACK_ROUTE': '/oidc/callback','OIDC_CLIENT_SECRETS': 'client_secrets.json'
})
oidc = OpenIDConnect(app)

• client_secrets.json

{"web": {"auth_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/authorize","issuer": "http://openam.example.com:8080/openam/oauth2/realms/root/","userinfo_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/userinfo","client_id": "MyClientID","client_secret": "password","redirect_uris": ["http://flask.example.com:8000/oidc/callback"],"token_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/token","token_introspection_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/introspect"}
}

• Access Manager

For the access manager I use OpenAM. I configured an OpenAM client agent as follows:

• Client ID = MyClientID
• Client Secret = password
• Response Type = code
• Token Endpoint Authentication Method = client_secret_post
• Redirect URI = http://flask.example.com:8000/oidc/callback

Context: I use flask-oidc for the logic on the application side and OpenAM for the identity and access management - both applications run in docker containers. When using simple curl commands I can retrieve an authorization grant as well as an authentication token (grant type: Authorization Code Grant). However, using the mentioned library, after logging in to OpenAM and granting authorization to the application (endpoint 'oauth2/authorize'), flask-oidc sends the following GET request:

GET /oidc/callback?code=<some code> \
&scope=openid%20email \
&iss=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2 \
&state=<some state> \
&client_id=MyClientID

Which leads to the error mentioned above.

While this does not directly answer the question, the best answer I could find was to use pyJWT or oauthlib instead of using flask-oidc. I found pyjwt was very straightforward in most respects, and there is an excellent tutorial here:

SSO Using Flask Request Oauthlib and pyjwt

I am not sure of this, but because the error is generated by oauth2client, not flask-oidc, it is possible the error is actually just related to the deprecated oathlib2clientlib.

There was a detailed request to mark the entire flask-oidc project as deprecated, but that request was made several years after the flask-oidc project was stopped being maintained. I hope one day flask will roove this link from their site because it is misleading to think that it is a main part of flask.