flask-oidc
flask-oidc copied to clipboard
puiterwijk
Some OpenID providers don't have token_introspection_uri
Hi!
I'm trying out "amundsen" by lift and there we typically use OpenID authentication to get into the application. Someone made a wrapper package available to use flask-oidc which is mostly based on keycloak, which has a token_introspection_uri: https://github.com/verdan/flaskoidc
Google has a different view on that and doesn't have an API for that:
https://developers.google.com/identity/sign-in/web/backend-auth
Instead, they expect API developers to do their own "authorisation" on their end (very likely to offload Google servers from this responsibility).
What we see is that validate_token is explicitly called, as it would also be with the decorator "accept_token", which is typically used for backend server stuff; so the user logs into a frontend UI server, which then passes through the token to backend servers that somehow need to validate the user's authenticity (SSO) to allow the correct type of access.
Would you consider adding the validation method for "google openid connect" to the library, so that the validate_token method would also work for that specific provider and include a clearer error message if no introspection_uri was provided in client_secrets.json?
This issue is still open, but I did get this working through "voucher proxy". The downside of the voucher proxy is that it's not as secure as this solution (I had to make custom code changes). But that was just a test/exploration, nothing I ever productionzed.