Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC compliance for flask server: POST to /authorize does not use form data #15

Closed
rudyardrichter opened this issue Jan 18, 2018 · 4 comments
Closed

OIDC compliance for flask server: POST to /authorize does not use form data #15

rudyardrichter opened this issue Jan 18, 2018 · 4 comments
Assignees
@lepture
Labels
in future question

Comments

@rudyardrichter
Copy link

The README lists OpenID Connect as an implemented feature, so I assume this implementation is meant to be fully OIDC compliant. However, the default flask implementation doesn't get the request parameters from the form data, as described by OIDC spec:

If using the HTTP POST method, the request parameters are serialized using Form Serialization, per Section 13.2.

Here is my understanding what happens currently for the flask server handling a POST to /authorize:

It seems like it would be straightforward to check flask.request.method and grab the params from flask.request.form if the method is POST. I'd be happy to submit a PR for this if that would be welcomed.
@lepture
Copy link
Owner

lepture commented Jan 18, 2018

@rudyardrichter I'm sorry for the misunderstanding. Currently only the OIDC client part is implemented, the server part is not yet. The next version is focusing on OAuth 1 server, so that it will take some time for OIDC server ready to use.

get_authorization_grant attempts to parse params from query string (not form data)

No, it should parse params from query string. This authorization_grant is used for the "dialog page that user (with or without login form) is asked to grant the access (or not)". This very page is landed by a redirection from your application to the OAuth server, it can't be a POST request.

@rudyardrichter
Copy link
Author

rudyardrichter commented Jan 18, 2018
edited

@lepture Supporting POST to the authorization endpoint is optional according to RFC 6749:

The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.

and mandatory in OIDC:

Authorization Servers MUST support the use of the HTTP GET and POST
methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint.
Clients MAY use the HTTP GET or POST methods to send the Authorization
Request to the Authorization Server.

where, as I quoted above, OIDC stipulates that parameters for POST be in form data.

I suppose this is slightly moot until OIDC provider is supported. Still, even for OAuth, it would be nice to allow support for use of POST for the authorization endpoint.

@lepture
Copy link
Owner

lepture commented Jan 19, 2018

@rudyardrichter yes, you are right. I'll make a change in v0.4.

@lepture lepture self-assigned this Jan 25, 2018
lepture added a commit that referenced this issue Jan 31, 2018
@lepture
Gather form data for authorize endpoint.
5cb4c09 
ref: #15
@lepture
Copy link
Owner

lepture commented Jan 31, 2018

It's collecting form data now. close it.

@lepture lepture closed this as completed Jan 31, 2018
coopfeathy added a commit to coopfeathy/authlib-django that referenced this issue Dec 11, 2022
@coopfeathy
Gather form data for authorize endpoint.
f974c48 
ref: lepture/authlib#15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lepture lepture

Labels
in future question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lepture @rudyardrichter