access token verification on API endpoint

app.py

@@ -1,10 +1,12 @@
 import requests
+import jwt
 
 from authlib.integrations.base_client import OAuthError
 from authlib.integrations.flask_client import OAuth
 
 from flask import Flask, request, redirect, session, render_template, url_for, make_response
 
+
 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'onelogindemopytoolkit'
 
@@ -33,7 +35,11 @@ def api():
     # it is not OK to use ID token to check API authorization on server side
     if 'accessToken' in request.args:
         access_token = request.args['accessToken']
-        #claims = oidcclient.validate_jwt(access_token)
+        jwks_uri = f"{issuer}/protocol/openid-connect/certs"
+        jwks_client = jwt.PyJWKClient(jwks_uri)
+        key = jwks_client.get_signing_key_from_jwt(access_token)
+        data = jwt.decode(access_token, key.key, algorithms=["RS256"], audience='client-oidc', options={'verify_signature': True, 'verify_aud': True})
+        print(data)
         not_auth_warn = False
         # TODO verify token and check role
     return render_template(
@@ -88,8 +94,10 @@ def index():
         response.set_cookie('accessToken', '', expires=0)
         response.set_cookie('refreshToken', '', expires=0)
         response.set_cookie('idToken', '', expires=0)
-        del session['name']
-        del session['email']
+        if 'name' in session:
+            del session['name']
+        if 'email' in session:
+            del session['email']
         return response
     elif 'error' in request.args:
         not_auth_warn = True

requirements.txt

@@ -1,2 +1,3 @@
 authlib
 flask
+PyJWT