This is called from RemoteApp.create_authorization_url which is called by RemoteApp.authorize_redirect which is called by my application (I'm not using the registry).
So if I pass my own nonce (which I'm storing in the session myself) it gets overwritten, so when I try to parse the id token later it fails of course. I fixed it in my app like this but it feels extremely ugly.
So it would be nice if:
no new nonce was generated if the caller already provided one
there was an api to access the session data without popping it and without using internal apis (_get_session_data); using retrieve_access_token_params just to get the nonce would be pretty inappropriate since it does much more
there was a proper OIDC client built-in in addition to the standard OAuth2 client ;)
The text was updated successfully, but these errors were encountered:
See this snippet here:
authlib/authlib/integrations/_client/base_app.py
Lines 189 to 193 in 3834a2a
This is called from
RemoteApp.create_authorization_url
which is called byRemoteApp.authorize_redirect
which is called by my application (I'm not using the registry).So if I pass my own nonce (which I'm storing in the session myself) it gets overwritten, so when I try to parse the id token later it fails of course. I fixed it in my app like this but it feels extremely ugly.
So it would be nice if:
_get_session_data
); usingretrieve_access_token_params
just to get the nonce would be pretty inappropriate since it does much moreThe text was updated successfully, but these errors were encountered: