From 80a0b162b7d1e64dc5bb92ea6d9f48c4df18f0e9 Mon Sep 17 00:00:00 2001 From: Edvard Rejthar Date: Wed, 29 May 2019 21:55:10 +0200 Subject: [PATCH] id_token["aud"] may be a single item list MojeID provider returns 'aud': ['single-id'] which was by mistake taken as multiple audiences without 'azp'. Added MojeID as a tested provider. --- README.rst | 1 + docs/index.rst | 3 ++- flask_oidc/__init__.py | 4 +++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.rst b/README.rst index 7e38ef5..5a00398 100644 --- a/README.rst +++ b/README.rst @@ -22,6 +22,7 @@ It has been tested with: * `Google+ Login `_ * `Ipsilon `_ +* `MojeID `_ Project status diff --git a/docs/index.rst b/docs/index.rst index f8f8692..4dbfe6f 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -72,7 +72,7 @@ A very basic example client:: def index(): if oidc.user_loggedin: return 'Welcome %s' % oidc.user_getfield('email') - else + else: return 'Not logged in' @app.route('/login') @@ -136,6 +136,7 @@ for information on how to obtain client secrets. For example, for Google, you will need to visit `Google API credentials management `_. +For `MojeID `_, you type ``curl --data '{"redirect_uris": "https://your app", "client_name": "Your name"}' https://mojeid.cz/oidc/ > client_secrets.json`` Manual client registration -------------------------- diff --git a/flask_oidc/__init__.py b/flask_oidc/__init__.py index 5ca54a4..508a3f6 100644 --- a/flask_oidc/__init__.py +++ b/flask_oidc/__init__.py @@ -612,7 +612,9 @@ def _is_id_token_valid(self, id_token): logger.error('id_token issued by non-trusted issuer: %s' % id_token['iss']) return False - + + if isinstance(id_token['aud'], list) and len(id_token['aud']) == 1: + id_token['aud'] = id_token['aud'][0] if isinstance(id_token['aud'], list): # step 3 for audience list if self.flow.client_id not in id_token['aud']: