oauth2client.client.FlowExchangeError: Scope parameter is not supported on an authorization code access_token exchange request

[Lauenburg]

The Problem:

The library flask-oidc includes the scope parameter into the authorization-code/access-token exchange request, which unsurprisingly throws the following error:

oauth2client.client.FlowExchangeError: invalid_request Scope parameter is not supported on an authorization code access_token exchange request. Scope parameter should be supplied to the authorized request.

The Question:

Is this a configuration problem or a library problem?

My Configurations:

• Flask Application:

app.config.update({
    'DEBUG': True,
    'TESTING': True,
    'SECRET_KEY': 'secret',
    'SERVER_NAME' : 'flask.example.com:8000',
    'OIDC_COOKIE_SECURE': False,
    'OIDC_REQUIRE_VERIFIED_EMAIL': False,
    'OIDC_CALLBACK_ROUTE': '/oidc/callback',
    'OIDC_CLIENT_SECRETS': 'client_secrets.json'
})
oidc = OpenIDConnect(app)

• client_secrets.json

  
  {
  "web": {
      "auth_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/authorize",
      "issuer": "http://openam.example.com:8080/openam/oauth2/realms/root/",
      "userinfo_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/userinfo",
      "client_id": "MyClientID",
      "client_secret": "password",
      "redirect_uris": [
          "http://flask.example.com:8000/oidc/callback"
      ],
      "token_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/token",
      "token_introspection_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/introspect"
  }
  }

- Access Manager

For the access manager I use [OpenAM](https://github.com/OpenIdentityPlatform/OpenAM). I configured an OpenAM client agent as follows:

- Client ID = `MyClientID`
- Client Secret = `password`
- Response Type = `code`
- Token Endpoint Authentication Method = `client_secret_post`
- Redirect URI = `http://flask.example.com:8000/oidc/callback`

**Context**:
I use [flask-oidc](https://github.com/puiterwijk/flask-oidc/) for the logic on the application side and [OpenAM](https://github.com/OpenIdentityPlatform/OpenAM) for the identity and access management - bot applications run in docker containers. When using simple curl commands I can retrieve an authorization grant as well as an authentication token (grant type: Authorization Code Grant). However, using the mentioned library, after logging in to OpenAM and granting authorization to the application (endpoint 'oauth2/authorize'), flask-oidc sends the following GET request:

    GET /oidc/callback?code=<some code> \
    &scope=openid%20email \
    &iss=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2 \
    &state=<some state> \
    &client_id=MyClientID

Which leads to the error mentioned above.

[Bcubrich]

I have the same issue, please let me know if you can resolve it.