zamzterz/Flask-pyoidc

Provide option for discovery URI

Closed this issue · 2 comments

arajcok commented

When a provider has dynamic discovery, we only need to pass the issuer to the ProviderConfiguration, and the discovery URI is expected to be at <issuer>/.well-known/openid-configuration. However, this is not always the case with some providers, as some include a more specific path for the discovery URI.

In previous versions of Flask-pyoidc (<=3.10.0), I was able to get around this by specifying the first portion of the discovery URI as the issuer. This allowed Flask-pyoidc to find the discovery URI correctly. Example:

ProviderConfiguration(
    issuer='https://some.provider.com/metadata/OIDC',
    client_metadata=...,
    auth_request_params={'scope': ['openid']})

where the discovery URI for this issuer is ultimately at https://some.provider.com/metadata/OIDC/.well-known/openid-configuration.

Now, in v3.11.0, this results in an error about an issuer mismatch:

oic.exception.PyoidcError: provider info issuer mismatch 'https://some.provider.com/metadata/OIDC' != 'https://some.provider.com'

Of course, providing https://some.provider.com as the issuer in the provider configuration results in other errors, as the provider does not have the discovery URI at the expected endpoint.

I am wondering if there is a way to add support for a discovery_uri in the ProviderConfiguration or ProviderMetadata to account for discovery URIs that are not at the default endpoint. Otherwise, we have to fallback to configuring the provider via a static provider configuration.

infohash commented

The error is originating from here:

oic.Client.handle_provider_config

            if not self.allow.get("issuer_mismatch", False) and _issuer != _pcr_issuer:
                raise PyoidcError(
                    "provider info issuer mismatch '%s' != '%s'"
                    % (_issuer, _pcr_issuer)
                )

That means your IdP is returning a different URL of issuer in the discovery response from what you have provided to the ProviderConfiguration.

Can you visit well-known configuration of your IdP and check the URL of the issuer.

I'm not able to reproduce the bug because in my case Keycloak is returning the same issuer URL that I have passed to the ProviderConfiguration.

This error is showing up in 3.11 is because discovery response is now delegated to the underlying pyoidc library which also validates the response.

Your issuer URL is supposed to be https://some.provider.com/metadata/OIDC and this same URL should be returned in dynamic discovery response by your IdP.

  • 👍1
zamzterz commented

The underlying OpenID Connect library of this extension follows the spec:

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

So unfortunately the provider you're using would not be supported as the discovery document is published at a different path.