larsw / flask-oidc-ex Goto Github PK

Keycloak generate token without this value

current version does not work on newer python libraries, likely fix:

puiterwijk#144

Hi,
I want to refresh my access token to validate user to continue access the web page , can you please help me.

Is it possible to turn off token validation somehow? We have our own token validator and we want to use it instead.

Seems i've come across a problem I cannot solve using flask-oidc or flask-oidc-ex.

You need to make sure that you introspect the token using the same DNS hostname/port as the token issuer. Unfortunately that's a not widely documented "feature" of Keycloak.

The workaround is to add to the introspection request a header defining the Host: <address> of the issuer. There is no option to do this in flask-oidc or flask-oidc-ex.

This is defined in OpenID Connect documentation also:

POST "{base_url}/realms/{realm}/protocol/openid-connect/token/introspect" HTTP/1.1
  Host: {issuer_url}  # Issuer Request
  Content-Type: application/x-www-form-urlencoded

  data={
     "token": <...>
     "token_type_hint": "access_token"
     "client_id": <...>
     "client_secret": <...>
  }

https://openid.net/specs/openid-connect-basic-1_0.html

This could be done by adding a new config variable that is loaded in from Flask.