search

puiterwijk / flask-oidc

OpenID Connect support for Flask
BSD 2-Clause "Simplified" License
156 stars 218 forks source link

ERROR:flask_oidc:ERROR: Unable to get token info #90

Closed hariyerramsetty closed 5 years ago

hariyerramsetty commented 5 years ago

I am trying to setup keycloack integration with a simple flask api. I am trying to use https://gist.github.com/thomasdarimont/145dc9aa857b831ff2eff221b79d179a as the reference for setting up simple api. I have seen similar questions on this issue on stack overflow, but I didnt get any solution through these questions. May be some one can help me resolve this issue.

My code:

app.py

import json
import logging

from flask import Flask, g
from flask_oidc import OpenIDConnect
import requests

logging.basicConfig(level=logging.DEBUG)

app = Flask(__name__)
app.config.update({
    'SECRET_KEY': 'SomethingNotEntirelySecret',
    'TESTING': True,
    'DEBUG': True,
    'OIDC_CLIENT_SECRETS': 'client_secrets.json',
    'OIDC_ID_TOKEN_COOKIE_SECURE': False,
    'OIDC_REQUIRE_VERIFIED_EMAIL': False,
    'OIDC_USER_INFO_ENABLED': True,
    'OIDC_OPENID_REALM': 'apiv3-login',
    'OIDC_SCOPES': ['openid', 'email', 'profile'],
    'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
    'OIDC_TOKEN_TYPE_HINT': 'access_token'
})

oidc = OpenIDConnect(app)

@app.route('/')
def hello_world():
    if oidc.user_loggedin:
        return ('Hello, %s, <a href="/private">See private</a> '
                '<a href="/logout">Log out</a>') % \
               oidc.user_getfield('preferred_username')
    else:
        return 'Welcome anonymous, <a href="/private">Log in</a>'

@app.route('/api', methods=['POST'])
@oidc.accept_token(require_token=True)
def hello_api():
    """OAuth 2.0 protected API endpoint accessible via AccessToken"""
    return json.dumps({'hello': 'Welcome %s' % g.oidc_token_info['sub']})

@app.route('/logout')
def logout():
    """Performs local logout by removing the session cookie."""
    oidc.logout()
    return 'Hi, you have been logged out! <a href="/">Return</a>'

if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0')

client_secrets.json

{
    "web": {
        "issuer": "http://localhost:8080/auth/realms/apiv3",
        "auth_uri": "http://localhost:8080/auth/realms/apiv3/protocol/openid-connect/auth",
        "client_id": "apiv3-login",
        "client_secret": "5551fe75-38c5-435a-a392-a6da6252439e",
        "redirect_uris": [
            "http://localhost:5000/*"
        ],
        "userinfo_uri": "http://localhost:8080/auth/realms/apiv3/protocol/openid-connect/userinfo",
        "token_uri": "http://localhost:8080/auth/realms/apiv3/protocol/openid-connect/token",
        "token_introspection_uri": "http://localhost:8080/auth/realms/apiv3/protocol/openid-connect/token/introspect"
    }
}

I am trying to get the token using the endpoint(using postman)

http://localhost:8080/auth/realms/apiv3/protocol/openid-connect/token

with grant type: password.

With the access token I am trying to call localhost:5000/api with authorization header bearer access token from above step. I am not sure what I am doing wrong.

The flask error shows ERROR:flask_oidc:ERROR: Unable to get token info. Am I doing anything wrong?

danifr commented 5 years ago

Check 'OIDC_OPENID_REALM': 'apiv3-login', it does not look correct

hariyerramsetty commented 5 years ago

@danifr : thank you I was able to resolve it. I misinterpreted that config

amelroua commented 3 years ago

@danifr : thank you I was able to resolve it. I misinterpreted that config

Please, I have the same issue. Can you tell me how did you resolve it ?

danifr commented 3 years ago

Can you please paste your config? I can take a look at it.

amelroua commented 3 years ago

Can you please paste your config? I can take a look at it.

Thanks for your reply, I'm using wso2 IS and this is my config file:

` { "web": { "issuer": "https://localhost:9443/oauth2/token", "auth_uri": "https://localhost:9443/oauth2/authorize", "client_id": "xxxx", "client_secret": "xxxx", "redirect_uris": [ "http://localhost:5000/callback" ], "userinfo_uri": "https://localhost:9443/oauth2/userinfo", "token_uri": "https://localhost:9443/oauth2/token", "token_introspection_uri": "https://localhost:9443/oauth2/introspect

}

} `

danifr commented 3 years ago

That part looks good. I would need to see the app.config object.

amelroua commented 3 years ago

That part looks good. I would need to see the app.config object.

app.config.update({ 'SECRET_KEY': ''SomethingNotEntirelySecret'', 'TESTING': True, 'DEBUG': True, 'OIDC_CLIENT_SECRETS': 'client_secrets.json', 'OIDC_ID_TOKEN_COOKIE_SECURE': False, 'OIDC_REQUIRE_VERIFIED_EMAIL': False, 'OIDC_USER_INFO_ENABLED': True, 'OIDC_SCOPES': ['openid','email', 'profile'], 'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post', 'OIDC_ID_TOKEN_COOKIE_NAME': "oidc_token", 'OIDC_TOKEN_TYPE_HINT': 'access_token', 'OIDC_CALLBACK_ROUTE': '/callback' })

danifr commented 3 years ago

I don't see anything wrong with what you posted. Anyway this library has not been updated since 2017. I'd suggest taking a look at other alternatives like: https://github.com/lepture/authlib

Flask examples: https://docs.authlib.org/en/latest/client/flask.html

SoumyaBadola commented 3 years ago

That part looks good. I would need to see the app.config object.

I have similar doubt, can you please check my config file too. app.config.update({ 'SECRET_KEY': 'SomethingNotEntirelySecret',

'SSL_CONTENT':False,

'TESTING': True,
'DEBUG': True,
"VERIFY_SSL_SERVER": False,
'OIDC_CLIENT_SECRETS': 'client_secrets.json',
'OIDC_ID_TOKEN_COOKIE_SECURE': False,
'OIDC_REQUIRE_VERIFIED_EMAIL': False,
'OIDC_RESOURCE_SERVER_ONLY'  : True,
#'OIDC_INTROSPECTION_AUTH_METHOD': 'bearer',
'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
'OIDC-SCOPES':['openid'],
'OIDC_TOKEN_TYPE_HINT': 'access_token'

})