id_token["aud"] may be a single item list

MojeID provider returns 'aud': ['single-id'] which was by mistake taken as multiple audiences without 'azp'. Added MojeID as a tested provider.
puiterwijk · May 29, 2019 · 80a0b16 · 80a0b16
1 parent 7f16e27
commit 80a0b16
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 2 deletions.
diff --git a/README.rst b/README.rst
@@ -22,6 +22,7 @@ It has been tested with:
 
 * `Google+ Login <https://developers.google.com/accounts/docs/OAuth2Login>`_
 * `Ipsilon <https://ipsilon-project.org/>`_
+* `MojeID <https://mojeid.cz>`_
 
 
 Project status

diff --git a/docs/index.rst b/docs/index.rst
@@ -72,7 +72,7 @@ A very basic example client::
     def index():
         if oidc.user_loggedin:
             return 'Welcome %s' % oidc.user_getfield('email')
-        else
+        else:
             return 'Not logged in'
 
     @app.route('/login')
@@ -136,6 +136,7 @@ for information on how to obtain client secrets.
 For example, for Google, you will need to visit `Google API credentials management
 <https://console.developers.google.com/apis/credentials?project=_>`_.
 
+For `MojeID <https://www.mojeid.cz/en/provider/getting-started/>`_, you type ``curl --data '{"redirect_uris": "https://your app", "client_name": "Your name"}' https://mojeid.cz/oidc/ > client_secrets.json``
 
 Manual client registration
 --------------------------

diff --git a/flask_oidc/__init__.py b/flask_oidc/__init__.py
@@ -612,7 +612,9 @@ def _is_id_token_valid(self, id_token):
             logger.error('id_token issued by non-trusted issuer: %s'
                          % id_token['iss'])
             return False
-
+
+        if isinstance(id_token['aud'], list) and len(id_token['aud']) == 1:
+            id_token['aud'] = id_token['aud'][0]
         if isinstance(id_token['aud'], list):
             # step 3 for audience list
             if self.flow.client_id not in id_token['aud']: