LoanR
commented
1 year ago The project uses Flask-pyoidc, that uses the package oic
Open LoanR opened 1 year ago
LoanR
commented
1 year ago The project uses Flask-pyoidc, that uses the package oic
LoanR
commented
1 year ago oic (aka pyoidc) checks the issuer between the one provided by the consumer (in our case, Flask-pyoidc) and the discovery, the .json provided by the well-known url.
LoanR
commented
1 year ago It seems like educonnect is adding /idp at the end of the issuer url in the well-known.
This url ends in a 404.
LoanR
commented
1 year ago The good way of fixing this bug is to fix the well-known of educonnect, which sends a bad endpoint. But we can't really wait for it to be fixed.
LoanR
commented
1 year ago oic has a conf that can omit the comparison: issuer_mismatch
But Flask-pyoidc does seem to provide an interface for that.
LoanR
commented
1 year ago Since Flask-pyoidc 3.11, it relies on oic to compare the two issuer values. https://github.com/zamzterz/Flask-pyoidc/issues/141#issuecomment-1217087722
We could then downgrade to 3.10 and wait for educonnect to fix their discovery to update back to a recent version, and avoid possible vulnerabilities. @azmeuk the update for this lib will probably have to wait...
One instance of B3Desk tries to connect with an OIDC provider, Educonnect.
It fails on start with:
oic.exception.PyoidcError: provider info issuer mismatch