search

fedora-infra / flask-oidc

OpenID Connect support for Flask
24 stars 14 forks source link

Flask-OIDC ignores the redirect_uris in client_secrets.json and force /authorize endpoint #76

Closed kassielbatista closed 6 months ago

kassielbatista commented 6 months ago

Hi team,

After trying to use the Flask-OIDC lib I'm getting the following behavior.

Even though redirect_uris is set under client_secrets.json the lib is ignoring it and forcing a /authorize callback endpoint.

Digging a little bit in the library code I ended up here:

views.py

@auth_routes.route("/login", endpoint="login")
def login_view():
    if current_app.config["OIDC_OVERWRITE_REDIRECT_URI"]:
        redirect_uri = current_app.config["OIDC_OVERWRITE_REDIRECT_URI"]
    elif current_app.config["OIDC_CALLBACK_ROUTE"]:
        redirect_uri = (
            f"https://{request.host}{current_app.config['OIDC_CALLBACK_ROUTE']}"
        )
    else:
        redirect_uri = url_for("oidc_auth.authorize", _external=True)
    session["next"] = request.args.get("next", request.root_url)
    return g._oidc_auth.authorize_redirect(redirect_uri)

@auth_routes.route("/authorize", endpoint="authorize")
def authorize_view():
    try:
        token = g._oidc_auth.authorize_access_token()
    except OAuthError as e:
        logger.exception("Could not get the access token")
        abort(401, str(e))
    session["oidc_auth_token"] = token
    g.oidc_id_token = token
    if current_app.config["OIDC_USER_INFO_ENABLED"]:
        profile = g._oidc_auth.userinfo(token=token)
        session["oidc_auth_profile"] = profile
    try:
        return_to = session["next"]
        del session["next"]
    except KeyError:
        return_to = request.root_url
    return redirect(return_to)

Based on this code, you are enforcing the /authorize endpoint as the callback and forcing users to use the OIDC_OVERWRITE_REDIRECT_URI or OIDC_CALLBACK_ROUTE, is this the expected behavior?

I couldn't find anywhere in the documentation (couldn't even find a good documentation other than for 1.2.0, which is old, and you removed from pip, so we can't use it).

In order to use the redirect_uris set in the secrets file, I had to do something like:

`__init__.py`

app.config.setdefault("OIDC_OVERWRITE_REDIRECT_URI", self.client_secrets["redirect_uris"][0])

And I'm pretty sure this is not the best way of doing it.