简体繁体 English

Authlib 0.6+不适用于Auth0模拟和Flask

[英]Authlib 0.6+ does not work with Auth0 impersonation and Flask

原文 2018-05-14 17:46:33 8 1 python/ flask/ auth0/ authlib/ auth0-lock

Auth0 impersonation directly calls the on success authentication callback URL skipping the initial step of authentication. Auth0模拟直接跳过认证的第一步，直接调用成功认证回调URL。 This causes an issue because flask/client/OAuth.authorize_access_token(), which is called as part of the callback processing, requires the presence of the session variable _auth0_callback_ but this variable is not set because the only place it is set, flask/client/OAuth.authorize_redirect(), is not called in this situation. 这引起了一个问题，因为在回调处理中被调用的flask / client / OAuth.authorize_access_token（）需要存在会话变量_auth0_callback_但是未设置此变量，因为设置了唯一的位置flask / client在这种情况下，不会调用/OAuth.authorize_redirect（）。

We've added a hack to set the _auth0_callback_ session variable if it doesn't exist just before the call to flask/client/OAuth.authorize_access_token() but this doesn't seem right and I'm just wondering if we're doing something wrong. 我们已经添加了一个技巧来设置_auth0_callback_会话变量（如果在调用flask / client / OAuth.authorize_access_token（）之前不存在该变量），但这似乎不正确，我只是想知道我们是否正在这样做有问题。

We've also experienced a similar issue with the _auth0_state_ session variable but this might have been fixed in v0.7 that I'm testing now. _auth0_state_会话变量也遇到了类似的问题，但是我现在正在测试的v0.7中可能已经解决了此问题。 We currently are using Authlib v0.6 in production. 我们目前正在生产中使用Authlib v0.6。

Have raised this issue with Auth0 but have not had any response. 用Auth0引发了此问题，但没有任何响应。

Any help appreciated, thx 任何帮助表示赞赏，谢谢

UPDATE... 更新中...

Looking deeper into Authlib it looks like that for the flask/client/OAuth.authorize_access_token() call the callback URL is not required in OAuth2Session.fetch_access_token() to fetch the token if the token is included in the authorisation response and it kind of makes sense that the access token is included in the authorisation response in the case of the impersonation - see OAuth2Session.fetch_access_token()#152 . 从Authlib的更深层看，对于flask/client/OAuth.authorize_access_token()调用，如果令牌包含在授权响应中，并且OAuth2Session.fetch_access_token()不需要回调URL即可获取令牌。在模拟的情况下，感觉访问令牌包含在授权响应中-请参阅OAuth2Session.fetch_access_token（）＃152 。 So maybe that authorisation response access token from Auth0 impersonation doesn't exist or is not being properly passed through... 因此，也许来自Auth0模拟的授权响应访问令牌不存在或未正确传递...

1 个解决方案

According to my acknowledge, Auth0 accepts a redirect_uri parameter. 根据我的确认，Auth0接受redirect_uri参数。 Check this example: https://github.com/lepture/auth0-python-web-app/blob/patch-1/01-Login/server.py 检查以下示例： https : //github.com/lepture/auth0-python-web-app/blob/patch-1/01-Login/server.py

The Flask integration is a wrapper on OAuth2Session which provides authorize_redirect and authorize_access_token methods to handle everything automatically for you. Flask集成是OAuth2Session的包装，它提供了authorize_redirect和authorize_access_token方法来自动为您处理所有事情。 If you find the high level integration can't meet your need, you can always use the methods of OAuthClient. 如果您发现高级集成无法满足您的需求，则可以始终使用OAuthClient的方法。