Oauth2没有在flask和oic.oauth2包中找到状态的授权

Question

我正在尝试使用OpenID连接工作流实现Oauth2身份验证，Cloudfoundry UAA作为使用oic.oauth2的python烧瓶应用程序中的后端身份验证提供程序。

即使我可以成功卷曲并通过POST获取访问令牌，我遇到了一个问题，即在尝试执行访问令牌请求时遇到“找不到状态的授权”错误

curl -k 'https://172.17.0.114:8443/oauth/token' -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=ga4gh_server&client_secret=ga4gh_server&grant_type=authorization_code&response_type=id_token&code=1n3ILw&state=CyBAFDwl79YU19lCEdODalMD&token_format=opaque&redirect_uri=https%3A%2F%2F172.17.0.107%2Fga4gh%2Foauth2callback'
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 15 Jul 2016 20:45:05 GMT

{"access_token":"2f57ef6dd73c482cac5aa7b8826ba8b7","token_type":"bearer","id_token":"eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJlZmY5MjFjMi0wMDdiLTQwNDgtOGZlZC01ZmFjNjM1NjkyZmMiLCJ1c2VyX25hbWUiOiJyemhvdSIsIm9yaWdpbiI6ImxkYXAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwicmV2b2NhYmxlIjp0cnVlLCJub25jZSI6ImFqaHMzZ2V2NHQ4VEJEQjF6VHZCYkpKUCIsImNsaWVudF9pZCI6ImdhNGdoX3NlcnZlciIsImF1ZCI6WyJnYTRnaF9zZXJ2ZXIiXSwiemlkIjoidWFhIiwiZ3JhbnRfdHlwZSI6ImF1dGhvcml6YXRpb25fY29kZSIsInVzZXJfaWQiOiJlZmY5MjFjMi0wMDdiLTQwNDgtOGZlZC01ZmFjNjM1NjkyZmMiLCJhenAiOiJnYTRnaF9zZXJ2ZXIiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNDY4NjE0NTU3LCJleHAiOjE0Njg2NTg3MDUsImlhdCI6MTQ2ODYxNTUwNSwianRpIjoiMmY1N2VmNmRkNzNjNDgyY2FjNWFhN2I4ODI2YmE4YjciLCJlbWFpbCI6InJ6aG91QGJjZ3NjLmNhIiwicmV2X3NpZyI6ImIyMzY1ZDU1IiwiY2lkIjoiZ2E0Z2hfc2VydmVyIn0.bDA3fLRMgtcPuUMw6laV89MwDqsIRkWi4-l0qvoN7qA","refresh_token":"2f57ef6dd73c482cac5aa7b8826ba8b7-r","expires_in":43199,"scope":"openid","nonce":"ajhs3gev4t8TBDB1zTvBbJJP","jti":"2f57ef6dd73c482cac5aa7b8826ba8b7"}

烧瓶应用程序生成一个24键随机'nonce'和'state'来标识自己，但似乎'state'没有被正确解析导致我的访问令牌请求失败：（。

以下是处理oauth2callback的代码，它是使用pyoidc实现的

if app.oidcClient is None:
    raise exceptions.NotImplementedException()
response = dict(flask.request.args.iteritems(multi=True))
#aresp = app.oidcClient.parse_response(
#    message.AuthorizationResponse,
#    info=response,
#    sformat='dict')
sessState = flask.session.get('state')
#respState = aresp['state']
respState = sessState
code = flask.request.args.get('code')
#if (not isinstance(aresp, message.AuthorizationResponse) or
#        respState != sessState):
#    raise exceptions.NotAuthenticatedException()
if respState != sessState:
     raise exceptions.NotAuthenticatedException()

args = {
    "client_id": app.oidcClient.client_id,
    "client_secret": app.oidcClient.client_secret,
    "grant_type" : 'authorization_code',
    "response_type" : 'token',
    #"code" : aresp['code'],
    "code" : code,
    "redirect_uri": app.oidcClient.redirect_uris[0]
}
atr = app.oidcClient.do_access_token_request(
    scope=["openid"],
    state=respState,
    request_args=args)

if not isinstance(atr, message.AccessTokenResponse):
    raise exceptions.NotAuthenticatedException()

atrDict = atr.to_dict()
if flask.session.get('nonce') != atrDict['id_token']['nonce']:
#if flask.session.get('nonce') != atrDict['nonce']:
    raise exceptions.NotAuthenticatedException()
key = oic.oauth2.rndstr(SECRET_KEY_LENGTH)
flask.session['key'] = key
#app.tokenMap[key] = aresp["code"], respState, atrDict
app.tokenMap[key] = code, respState, atrDict

# flask.url_for is broken. It relies on SERVER_NAME for both name
# and port, and defaults to 'localhost' if not found. Therefore
# we need to fix the returned url
indexUrl = flask.url_for('index', _external=True)
indexParts = list(urlparse.urlparse(indexUrl))
if ':' not in indexParts[1]:
    indexParts[1] = '{}:{}'.format(socket.gethostname(), app.myPort)
    indexUrl = urlparse.urlunparse(indexParts)
response = flask.redirect(indexUrl)
return response

auth服务器登录成功后，服务器将被重定向到带有以下参数的回调网址。

https://172.17.0.107/ga4gh/oauth2callback#token_type=bearer&id_token=eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJlZmY5MjFjMi0wMDdiLTQwNDgtOGZlZC01ZmFjNjM1NjkyZmMiLCJ1c2VyX25hbWUiOiJyemhvdSIsIm9yaWdpbiI6ImxkYXAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwibm9uY2UiOiJhamhzM2dldjR0OFRCREIxelR2QmJKSlAiLCJjbGllbnRfaWQiOiJnYTRnaF9zZXJ2ZXIiLCJhdWQiOlsiZ2E0Z2hfc2VydmVyIl0sInppZCI6InVhYSIsInVzZXJfaWQiOiJlZmY5MjFjMi0wMDdiLTQwNDgtOGZlZC01ZmFjNjM1NjkyZmMiLCJhenAiOiJnYTRnaF9zZXJ2ZXIiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNDY4NjE0NTU3LCJleHAiOjE0Njg2NTg2NDYsImlhdCI6MTQ2ODYxNTQ0NiwianRpIjoiMGY2NTIyY2E3NTdlNDNiZWI1OWU2MGNiMmQzYWZjZmIiLCJlbWFpbCI6InJ6aG91QGJjZ3NjLmNhIiwicmV2X3NpZyI6ImIyMzY1ZDU1IiwiY2lkIjoiZ2E0Z2hfc2VydmVyIn0.tXC1kP2nT_8cLaM0Gyk_rcDEetqIo39J_C3jtulTDm4&code=1n3ILw&state=CyBAFDwl79YU19lCEdODalMD&expires_in=43199&nonce=ajhs3gev4t8TBDB1zTvBbJJP&jti=0f6522ca757e43beb59e60cb2d3afcfb

但是，为了继续我的访问令牌请求，我似乎无法出于某种原因从该回调URL解析状态arg。

任何关于如何解决这个问题的想法都将非常感激！

非常感谢！