zamzterz / Flask-pyoidc

Flask extension for using pyoidc as authentication for Flask apps.
Apache License 2.0
80 stars 38 forks source link

Edited: If for some reason your OP uses cookies, cookies from the first authentication may break subsequent auth attempts in server-side calls to /token or /userinfo. Therefore, set a rule to block all cookies in a requests.Session object and pass that into your ProviderConfiguration declaration #153

Closed mikeam565 closed 1 year ago

mikeam565 commented 1 year ago

First of all, thanks for this Flask integration.

Currently, I am able to successfully log in with one user. Subsequent users, however, cannot log in. They get to the token endpoint and the OP responds with "invalid client: the client identifier could not be found". I have traced this issue to the fact that the Client object seems to be sending cookies set by the OP from the first auth flow in subsequent flows. Should the same Client be getting used across auth flows like this?

mikeam565 commented 1 year ago

Correction: This is a specific issue probably related to non-standard implementation on my OP's part, but this is what happened (for those this might help): My OP sends back cookies, probably to handle state. requests.Session stores cookies. For some reason (probably related to aforementioned non-standard implementation), the cookies on the first successful auth flow would break subsequent auth flows. So I added a rule to block all cookies to the requests.Session object I passed into ProviderConfiguration and it worked.

Edited on 4/6 for clarity.