You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was able to bypass the decorated @oidc.require_login on a function, leading to app crash of course as the function was trying to access grants from the id token.
Here is the stack trace:
[2022-12-20 14:38:59 +0000] [12] [ERROR] Error handling request /route
app | Traceback (most recent call last):
app | File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 136, in handle
app | self.handle_request(listener, req, client, addr)
app | File "/usr/local/lib/python3.10/site-packages/gunicorn/workers/sync.py", line 179, in handle_request
app | respiter = self.wsgi(environ, resp.start_response)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2548, in __call__
app | return self.wsgi_app(environ, start_response)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2528, in wsgi_app
app | response = self.handle_exception(e)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2525, in wsgi_app
app | response = self.full_dispatch_request()
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1822, in full_dispatch_request
app | rv = self.handle_user_exception(e)
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request
app | rv = self.dispatch_request()
app | File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request
app | return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
app | File "/home/app/routes.py", line 252, in my_func
app | a_grant= oidc.user_getfield("a_grant")
app | File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 220, in user_getfield
app | info = self.user_getinfo([field], access_token)
app | File "/usr/local/lib/python3.10/site-packages/flask_oidc/__init__.py", line 240, in user_getinfo
app | raise Exception('User was not authenticated')
app | Exception: User was not authenticated
To reproduce it just authenticate once and go on that route. It will display everything well.
Then leave it open for a while. Not sure how much. I think just needs the id token to expire or something. Then refresh the page and you will see the exception
The text was updated successfully, but these errors were encountered:
I was able to bypass the decorated
@oidc.require_loginon a function, leading to app crash of course as the function was trying to access grants from the id token.Here is the stack trace:
Here is also the code:
To reproduce it just authenticate once and go on that route. It will display everything well.
Then leave it open for a while. Not sure how much. I think just needs the id token to expire or something. Then refresh the page and you will see the exception
The text was updated successfully, but these errors were encountered: