puiterwijk
commented
5 years ago Hi,
Thanks for your interest in flask-oidc.
For the resource server case, flask.g.oidc_token_info gets set with the output of _get_token_info, so all the token claims, if the token is indeed valid and contains the required scopes.
This is referenced in the documentation: return json.dumps('Welcome %s' % g.oidc_token_info['sub']).
For access_token based API calls, there's no way if getting any information, as get_access_token uses the sub of the id_token. If a user's not logged in (e.g. API call with Bearer token), then it blows up. Looking up the access token from the header, and passing it to oidc._get_token_info(token) does introspect and give the token details though. Is there something wrong with this approach?