use dummy server

app.py

@@ -1,5 +1,4 @@
 import requests
-import jwt
 
 from authlib.integrations.base_client import OAuthError
 from authlib.integrations.flask_client import OAuth
@@ -33,23 +32,10 @@ oauth.register(
 
 @app.route("/api")
 def api():
-    not_auth_warn = True
+    if 'accessToken' in request.cookies:
-    # is it OK to use access token to check API authorization on server side
+        access_token = request.cookies['access_token']
-    # it is not OK to use ID token to check API authorization on server side
+        print(access_token)
-    if 'accessToken' in request.args:
+    return make_response(redirect('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001'))
-        access_token = request.args['accessToken']
-        jwks_uri = f"{issuer}/protocol/openid-connect/certs"
-        jwks_client = jwt.PyJWKClient(jwks_uri)
-        key = jwks_client.get_signing_key_from_jwt(access_token)
-        data = jwt.decode(access_token, key.key, algorithms=["RS256"], audience='client-oidc', options={'verify_signature': True, 'verify_aud': True})
-        print(data)
-        not_auth_warn = False
-        # TODO verify token and check role
-    return render_template(
-        'api.html',
-        not_auth_warn=not_auth_warn,
-    )
-
 
 @app.route("/auth")
 def auth():
@@ -60,13 +46,13 @@ def auth():
     response = make_response(redirect('/'))
     access_token = token_response['access_token']
     if access_token:
-        response.set_cookie('accessToken', access_token, httponly=True)
+        response.set_cookie('access_token', access_token, httponly=True)
     refresh_token = token_response['refresh_token']
     if refresh_token:
-        response.set_cookie('refreshToken', refresh_token, httponly=True)
+        response.set_cookie('refresh_token', refresh_token, httponly=True)
     id_token = token_response['id_token']
     if id_token:
-        response.set_cookie('idToken', id_token, httponly=True)
+        response.set_cookie('id_token', id_token, httponly=True)
     if token_response['userinfo']:
         session['name'] = token_response['userinfo']['name']
         session['email'] = token_response['userinfo']['email']
@@ -76,7 +62,6 @@ def auth():
 @app.route("/", methods=['GET', 'POST'])
 def index():
     attributes = False
-    access_token = False
     paint_logout = False
     not_auth_warn = False
     user_name = False
@@ -94,9 +79,9 @@ def index():
                 "refresh_token": refresh_token,
             })
         response = make_response(redirect('/'))
-        response.set_cookie('accessToken', '', expires=0)
+        response.set_cookie('access_token', '', expires=0)
-        response.set_cookie('refreshToken', '', expires=0)
+        response.set_cookie('refresh_token', '', expires=0)
-        response.set_cookie('idToken', '', expires=0)
+        response.set_cookie('id_token', '', expires=0)
         if 'name' in session:
             del session['name']
         if 'email' in session:
@@ -107,9 +92,9 @@ def index():
 
     # it is OK to use ID token to display user info on client side
     # is it not OK to use access token on client side
-    if 'idToken' in request.cookies:
+    if 'id_token' in request.cookies:
         paint_logout = True
-        attributes = {'idToken': [request.cookies['idToken']]}.items()
+        attributes = {'id_token': [request.cookies['id_token']]}.items()
 
     if 'name' in session:
         user_name = session['name']
@@ -117,13 +102,9 @@ def index():
     if 'email' in session:
         user_email = session['email']
 
-    if 'accessToken' in request.cookies:
-        access_token = request.cookies['accessToken']
-
     return render_template(
         'index.html',
         attributes=attributes,
-        access_token=access_token,
         not_auth_warn=not_auth_warn,
         paint_logout=paint_logout,
         user_name=user_name,

requirements.txt

@@ -1,3 +1,3 @@
 authlib
 flask
-PyJWT
+requests

templates/index.html

@@ -36,10 +36,6 @@
   <a href="?sso" class="btn btn-primary">Login</a>
 {% endif %}
 
-{% if access_token %}
+<a href="/api" class="btn btn-secondary">Call API</a>
-  <a href="/api?accessToken={{ access_token }}" class="btn btn-secondary">Call protected API</a>
-{% else %}
-  <a href="/api" class="btn btn-secondary">Call protected API</a>
-{% endif %}
 
 {% endblock %}