search

puiterwijk / flask-oidc

OpenID Connect support for Flask
BSD 2-Clause "Simplified" License
156 stars 218 forks source link

Add option for `Host: <address>` for token introspection #104

Closed svintit closed 4 years ago

svintit commented 4 years ago

Seems i've come across a problem I cannot solve using flask-oidc.

You need to make sure that you introspect the token using the same DNS hostname/port as the token issuer. Unfortunately that's a not widely documented "feature" of Keycloak.

The workaround is to add to the introspection request a header defining the Host: <address> of the issuer. There is no option to do this in flask-oidc.

This is defined in OpenID Connect documentation also:

POST "{base_url}/realms/{realm}/protocol/openid-connect/token/introspect" HTTP/1.1
  Host: {issuer_url}  # Issuer Request
  Content-Type: application/x-www-form-urlencoded

  data={
     "token": <...>
     "token_type_hint": "access_token"
     "client_id": <...>
     "client_secret": <...>
  }

https://openid.net/specs/openid-connect-basic-1_0.html

This could be done by adding a new config variable that is loaded in from Flask.