Replies: 1 comment
-
the access token is not supposed to be verified by the client, which is what mod_auth_openidc is in the OpenID Connect setup |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
Is it possible to verify the JWT passed in the Oidc-Access-Token header, when passed downstream via Apache doing reverse proxy & OIDC?
I have a Python/Flask application behind Apache that is acting as a reverse proxy with OIDC. The provider is Azure and all seems to be working on from an OIDC perspective.
When I try to verify in Python the Oidc-Access-Token it fails to verify.
However, when I pass the id-token via header - it verifies fine.
I have also tried taking both tokens from the ?info=json endpoint (including inside the session) same result: access-token fails verification, id-token passes.
The token's header and payload will base64 decode fine
Relevant bits of my Apache configuration (NB: this is working as the token payload contains my email address etc.)
Offline verification code below, however the Flask application is using Flask-JWT-Extended - both fail.
Beta Was this translation helpful? Give feedback.
All reactions