Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Framework-Agnostic OpenID Connect Implementation
See original GitHub issueProblem Description
An issue that my team has run into recently is that authlib doesn’t appear to support a framework-agnostic way to interact with OpenID Connect. This has become more of an issue for us since we are in a service oriented environment, which the library also has some issues with supporting.
Our initial implementation used the Flask framework integration, and we implemented a custom FlaskIntegration subclass that would allow us to work around the fact that the nonce is strongly expected to live in the session. We have one service that implements the OpenID flow, and our another service that actually has the session data, so this expectation doesn’t work for us.
We then decided that we would move towards using the lower level OAuth2Session class instead, to have a bit more control over how things were implemented. The tradeoff was that this ended up increasing our service layer code by 160 lines due to having to reimplement the JWKS fetching, JWT parsing, and user info endpoint handling logic, plus increasing our testing for all of these things by several hundred lines.
Proposed Solution
I would like to move the logic for JWKS retrieval, JWT parsing, and user info endpoint handing out of the framework-specific code and into either (a) the OAuth2[Client|Session] or (b) a new OpenID[Client|Session].
This would also allow the framework code to be lighter-weight and focus purely on the framework specific things like session and signal management.
Obviously the existing API contract would need to be maintained, but, where appropriate, I might suggest adding deprecation warnings to some methods and possibly removing them in a future major version bump. It feels to me like there is more redirection happening than would be ideal, which makes it difficult to trace code.
Last, I would also like to do some documentation updates as part of this around proper framework-agnostic usage.
Alternatives
It would also be possible to change the behavior of the Flask framework integration to accept the nonce as a function argument and make it easier to configure some options relating to the tokens / key signatures to get some of the benefits, but I would much prefer the broader improvements.
Additional context
I would love to contribute these changes myself if the maintainer(s) agree with this approach.
Also, I wanted to express my gratitude for creating this library, as it has been extremely helpful to us already.
I attempted to search for a similar issue, but was not able to find one. I apologize if this is a duplicate.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I’m not a maintainer, but the overall goal here sounds good to me. 👍
I’d strongly suggest approach B. OpenIDConnect and all its JWT stuff is an extension to OAuth2, but the vanilla OAuth2 spec says nothing about JWTs. I think it would be a mistake to shoehorn any JWK/JWT code into a class designed to implement the base RFC6749 logic.
@briankzimmer I’m still not quite understand the problem. You can send a PR, I’ll get what you want in the PR.