access_token received through Authorization header

app.py

@@ -13,20 +13,29 @@ client_secret="TODO"
 @app.route("/api")
 def api():
     not_auth_warn = True
+    callback_url = False
     # is it OK to use access token to check API authorization on server side
     # it is not OK to use ID token to check API authorization on server side
-    if 'accessToken' in request.args:
-        access_token = request.args['accessToken']
+    if 'Authorization' in request.headers:
+        bearer = request.headers['Authorization']
+        access_token = False
+        if bearer.startswith("Bearer "):
+            access_token = bearer[7:]
         jwks_uri = f"{issuer}/protocol/openid-connect/certs"
         jwks_client = jwt.PyJWKClient(jwks_uri)
         key = jwks_client.get_signing_key_from_jwt(access_token)
-        data = jwt.decode(access_token, key.key, algorithms=["RS256"], audience='client-oidc', options={'verify_signature': True, 'verify_aud': True})
-        print(data)
-        not_auth_warn = False
-        # TODO verify token and check role
+        try:
+            data = jwt.decode(access_token, key.key, algorithms=["RS256"], audience='account', options={'verify_signature': True, 'verify_aud': True})
+            # TODO verify token and check role
+            print(data)
+            not_auth_warn = False
+        except Exception as e:
+            print(e)
+    if 'callbackUrl' in request.args:
+        callback_url = request.args['callbackUrl']
     return render_template(
         'api.html',
-        callback_url=request.args['callbackUrl'],
+        callback_url=callback_url,
         not_auth_warn=not_auth_warn,
     )
 

requirements.txt

@@ -1,2 +1,3 @@
 flask
 PyJWT
+cryptography

templates/api.html

@@ -7,6 +7,9 @@
 {% else %}
   <p>The API content</p>
 {% endif %}
-<a href="{{ callback_url }}" class="btn btn-dark">Back</a>
+
+{% if callback_url %}
+  <a href="{{ callback_url }}" class="btn btn-dark">Back</a>
+{% endif %}
 
 {% endblock %}