Open ashic opened 6 years ago
It appears Google are quite naughty here... https://tools.ietf.org/html/rfc6749#section-2.3.1
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes). The parameters can only
be transmitted in the request-body and MUST NOT be included in the
request URI.
It appears google does have a setting to use headers: https://github.com/google/oauth2client/blob/3071457064f3705bab1b041bd624a10d5a2d2619/oauth2client/client.py#L1859
authorization_header: string, For use with OAuth 2.0 providers that
require a client to authenticate using a
header value instead of passing client_secret
in the POST body.
That's in the constructor of OAuth2WebServerFlow.
While that's in the constructor, it looks like we're using flow_from_clientsecrets to create the instance, which doesn't provide an option to specify the code in the header.
I've managed to get it working by monkey patching _flow_for_request:
def flow_fr(self):
"""
Build a flow with the correct absolute callback URL for this request.
:return:
"""
flow = copy(self.flow)
redirect_uri = app.config['OVERWRITE_REDIRECT_URI']
if not redirect_uri:
flow.redirect_uri = url_for('_oidc_callback', _external=True)
else:
flow.redirect_uri = redirect_uri
auth_method = app.config['OIDC_INTROSPECTION_AUTH_METHOD']
print ("method is {}".format(auth_method))
if auth_method == 'client_secret_basic':
basic_auth_string = '%s:%s' % (self.client_secrets['client_id'], self.client_secrets['client_secret'])
print ("Authorization header: {}".format(basic_auth_string))
basic_auth_bytes = bytearray(basic_auth_string, 'utf-8')
flow.authorization_header = 'Basic %s' % b64encode(basic_auth_bytes).decode('utf-8')
print ("Header value: {}".format(flow.authorization_header))
return flow
OpenIDConnect._flow_for_request = flow_fr
The code is similar to _get_token_info. I did have to change the following line:
flow.authorization_header = 'Basic %s' % b64encode(basic_auth_bytes).decode('utf-8')
by adding a decode('utf-8') at the end. Otherwise the string was coming out as "Basic b'encoded value'". (e.g. with the b and single quotes around it). I'm wondering if the line in _get_token_info needs the decode('utf-8') bit as well.
I'll submit a PR with the change to _flow_for_request.
I'm looking to use this with Hydra. When handling oidc_callback, I get an error:
On the hydra logs, I see this:
It appears hydra wants "code" to be in the Authorization Header. https://github.com/ory/hydra/issues/174 would suggest as much. Is there a way around this? It appears the (now deprecated) oauth client is putting the code in the POST body.