-
-
Notifications
You must be signed in to change notification settings - Fork 429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC compliance for flask server: POST to /authorize does not use form data #15
Comments
@rudyardrichter I'm sorry for the misunderstanding. Currently only the OIDC client part is implemented, the server part is not yet. The next version is focusing on OAuth 1 server, so that it will take some time for OIDC server ready to use.
No, it should parse params from query string. This authorization_grant is used for the "dialog page that user (with or without login form) is asked to grant the access (or not)". This very page is landed by a redirection from your application to the OAuth server, it can't be a POST request. |
@lepture Supporting POST to the authorization endpoint is optional according to RFC 6749:
and mandatory in OIDC:
where, as I quoted above, OIDC stipulates that parameters for POST be in form data. I suppose this is slightly moot until OIDC provider is supported. Still, even for OAuth, it would be nice to allow support for use of POST for the authorization endpoint. |
@rudyardrichter yes, you are right. I'll make a change in v0.4. |
It's collecting form data now. close it. |
The README lists OpenID Connect as an implemented feature, so I assume this implementation is meant to be fully OIDC compliant. However, the default flask implementation doesn't get the request parameters from the form data, as described by OIDC spec:
Here is my understanding what happens currently for the flask server handling a POST to /authorize:
create_authorization_response
is called from the endpointcreate_valid_authorization_response
is called from aboveget_authorizaton_grant
is called from aboveget_authorization_grant
attempts to parse params from query string (not form data)It seems like it would be straightforward to check
flask.request.method
and grab the params fromflask.request.form
if the method is POST. I'd be happy to submit a PR for this if that would be welcomed.The text was updated successfully, but these errors were encountered: