I have a oauth/oidc server and a client, both using authlib 0.14.3 and the flask integration. The server use HS256 to sign the id_token. The client has those endpoints:
oauth = OAuth()
oauth.init_app(app)
oauth.register(
name='mydomain',
client_id=OAUTH_CLIENT_ID,
client_secret=OAUTH_CLIENT_SECRET,
access_token_url="http://localhost:5000/oauth/token",
authorize_url="http://localhost:5000/oauth/authorize",
client_kwargs={
'scope': 'openid profile'
}
)
@app.route("/login", methods=["GET", "POST"])
@sheraf.connection()
def login():
redirect_uri = url_for('users.account.authorize', _external=True)
return oauth.mydomain.authorize_redirect(redirect_uri)
@app.route('/authorize')
def authorize():
token = oauth.mydomain.authorize_access_token()
userinfo = oauth.mydomain.parse_id_token(token)
...
return redirect('/')
parse_id_token raise a UnsupportedAlgorithmError. Playing with a debugger I find that authlib/jose/rfc7515/jws.py:JsonWebSignature._algorithms only has RS256 available.
Am I missing something?
I was missing mandatory parameters in the oidc server registration:
oauth.register(
name='mydomain',
client_id=OAUTH_CLIENT_ID,
client_secret=OAUTH_CLIENT_SECRET,
access_token_url="http://localhost:5000/oauth/token",
authorize_url="http://localhost:5000/oauth/authorize",
id_token_signing_alg_values_supported=["HS256", "RS256"],
jwks={
"keys": [{
"kid": "my-key-id",
"kty": "oct",
"alg": "HS256",
"k": urlsafe_b64encode("secret-key"),
}]
},
client_kwargs={
'scope': 'openid profile'
}
)