JWTConnect-Python-OidcRP flask_rp does not substitute {host} an {port} in configuration

The configuration contains variables {host} and {port} to be substituted by the configured settings, however the names are procesdes ad verbatim by the oicrp services and generate invalid URLs. E.g:

2022-03-03 18:30:18,773 werkzeug INFO 127.0.0.1 - - [03/Mar/2022 18:30:18] "GET /authorization?redirect_uri=https%3A%2F%2F%7Bdomain%7D%3A%7Bport%7D%2Fauthz_cb%2Flocal&scope=openid+profile+email+address+phone&response_type=code&nonce=l88iJfCO4BZLDQkXYnUhgqFR&claims=%7B%22id_token%22%3A+%7B%22acr%22%3A+%7B%22value%22%3A+%22https%3A%2F%2Frefeds.org%2Fprofile%2Fmfa%22%7D%7D%7D&state=P9uak9aZ80hdofThXcjn7smnpPa5MDho&code_challenge=_yJm92poIHyUup6Wj3Gqcax9sJnyHSTZtb7l4PK380E&code_challenge_method=S256&client_id=fNHcM2Y5_NspBddQ8PDS5g HTTP/1.1" 400 -

Mar 03 '22 18:03 NubiaNetworks

I'd like to see the configuration file you're using.

Mar 04 '22 06:03 rohe

I'm using the default config.json files from oid-cop 'flask_op' and JWTConnect-Python-OidcRP's flask_rp

On the flask_op side I'm getting:

2022-03-04 08:49:30,205 oidcmsg.configure INFO request: {'application_type': 'web', 'response_types': ['code'], 'contacts': ['[email protected]'], 'token_endpoint_auth_method': 'client_secret_basic', 'backchannel_logout_uri': 'https://{domain}:{port}/bc_logout/local', 'frontchannel_logout_uri': 'https://{domain}:{port}/fc_logout/local', 'redirect_uris': ['https://{domain}:{port}/authz_cb/local'], 'jwks_uri': 'https://127.0.0.1:8090/static/jwks.json', 'post_logout_redirect_uri': 'https://{domain}:{port}/session_logout/local', 'frontchannel_logout_session_required': True, 'grant_types': ['authorization_code']}

On the flask_rp side:

2022-03-04 08:49:30,235 oidcrp.util DEBUG resp.headers: {'Content-type': 'application/json; charset=utf-8', 'Content-Length': '927', 'Pragma': 'no-cache', 'Cache-Control': 'no-store', 'Set-Cookie': 'oidc_op_rp=1646380170|pmCefI6WW93GHwUs|ZMrqXRI2dWwfWkoqLmMrZBTKy0pEiGt5r2iLzMdoGj/W7Qo4m8bXPQnT1DGlmlsaKzMhc6i2UV5SY5GqrSkIyN16fMp89DUSoFvJCVQ8/l84jDBGbDKhFTxtTOsNOIKamUUanFCohpA=|4JyiuFp7pJ+gYNMSxYu8Hw==; Secure; HttpOnly; Path=/; SameSite=Lax', 'Server': 'Werkzeug/2.0.3 Python/3.9.9', 'Date': 'Fri, 04 Mar 2022 07:49:30 GMT'}
2022-03-04 08:49:30,235 oidcrp.util DEBUG resp.txt: {"client_id": "Qo1it0yxWiUGLHIGf0Q3vQ", "registration_access_token": "BOZZssAxbiWUWhUJ4GrpFWjBc2RHV4615-42P17DhXI", "registration_client_uri": "https://127.0.0.1:5000/registration_api?client_id=Qo1it0yxWiUGLHIGf0Q3vQ", "client_id_issued_at": 1646380170, "client_secret": "7cab69b50b0416a99dc35996399f60aaf8b157a83cae0ba11a5cadb9", "client_secret_expires_at": 1648972170, "application_type": "web", "response_types": ["code"], "contacts": ["[email protected]"], "token_endpoint_auth_method": "client_secret_basic", "backchannel_logout_uri": "https://{domain}:{port}/bc_logout/local", "frontchannel_logout_uri": "https://{domain}:{port}/fc_logout/local", "jwks_uri": "https://127.0.0.1:8090/static/jwks.json", "post_logout_redirect_uri": "https://{domain}:{port}/session_logout/local", "frontchannel_logout_session_required": true, "grant_types": ["authorization_code"], "redirect_uris": ["https://{domain}:{port}/authz_cb/local"]}

Mar 04 '22 07:03 NubiaNetworks

Which versions of OidcRP and oidc-op ?

Mar 04 '22 08:03 rohe

Both the git default branches.

I noticed that the actual substitution is supposed to happen in the Base class in the oidcmsg package which is version 1.6.0

Mar 04 '22 08:03 NubiaNetworks

Let me get back to you later today or tomorrow. A bit busy right now.

Mar 04 '22 08:03 rohe

In #64 I created a test case to demonstrate the issue It turned out to be a bug regarding an omitted 'uris' variable in RPConfigure. Fix in the same pull request

Mar 04 '22 11:03 NubiaNetworks