Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2client.client.FlowExchangeError: Scope parameter is not supported on an authorization code access_token exchange request #124

Open
Lauenburg opened this issue Feb 22, 2021 · 1 comment
Open

oauth2client.client.FlowExchangeError: Scope parameter is not supported on an authorization code access_token exchange request #124

Lauenburg opened this issue Feb 22, 2021 · 1 comment

Comments

@Lauenburg
Copy link

The Problem:

The library flask-oidc includes the scope parameter into the authorization-code/access-token exchange request, which unsurprisingly throws the following error:

oauth2client.client.FlowExchangeError: invalid_request Scope parameter is not supported on an authorization code access_token exchange request. Scope parameter should be supplied to the authorized request.

The Question:

Is this a configuration problem or a library problem?

My Configurations:

  • Flask Application:
app.config.update({
    'DEBUG': True,
    'TESTING': True,
    'SECRET_KEY': 'secret',
    'SERVER_NAME' : 'flask.example.com:8000',
    'OIDC_COOKIE_SECURE': False,
    'OIDC_REQUIRE_VERIFIED_EMAIL': False,
    'OIDC_CALLBACK_ROUTE': '/oidc/callback',
    'OIDC_CLIENT_SECRETS': 'client_secrets.json'
})
oidc = OpenIDConnect(app)
  • client_secrets.json
{
    "web": {
        "auth_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/authorize",
        "issuer": "http://openam.example.com:8080/openam/oauth2/realms/root/",
        "userinfo_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/userinfo",
        "client_id": "MyClientID",
        "client_secret": "password",
        "redirect_uris": [
            "http://flask.example.com:8000/oidc/callback"
        ],
        "token_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/token",
        "token_introspection_uri": "http://openam.example.com:8080/openam/oauth2/realms/root/introspect"
    }
}
  • Access Manager

For the access manager I use OpenAM. I configured an OpenAM client agent as follows:

  • Client ID = MyClientID
  • Client Secret = password
  • Response Type = code
  • Token Endpoint Authentication Method = client_secret_post
  • Redirect URI = http://flask.example.com:8000/oidc/callback

Context:
I use flask-oidc for the logic on the application side and OpenAM for the identity and access management - bot applications run in docker containers. When using simple curl commands I can retrieve an authorization grant as well as an authentication token (grant type: Authorization Code Grant). However, using the mentioned library, after logging in to OpenAM and granting authorization to the application (endpoint 'oauth2/authorize'), flask-oidc sends the following GET request:

GET /oidc/callback?code=<some code> \
&scope=openid%20email \
&iss=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2 \
&state=<some state> \
&client_id=MyClientID

Which leads to the error mentioned above.
@Bcubrich
Copy link

I have the same issue, please let me know if you can resolve it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lauenburg @Bcubrich