How to use Python OpenID Connect module with IBM Cloud App ID?

Question

I signed up for IBM Cloud App ID to protect access to my cloud application. There is a sample that shows that the service can be used with Python. However, I want to use one of the (standard) OpenID Connect modules. How can I configure, e.g., Flask-pyoidc to work with App ID? It requires a couple of parameters and I am unsure how they relate to what App ID provides.

provider_config = {
    'issuer': 'https://op.example.com',
    'authorization_endpoint': 'https://op.example.com/authorize',
    'token_endpoint': 'https://op.example.com/token',
    'userinfo_endpoint': 'https://op.example.com/userinfo'
}
auth = OIDCAuthentication(provider_configuration_info=provider_config)

Answer 1

Here is how the provider_config can be configured.

provider_config={
     "issuer": "appid-oauth.ng.bluemix.net",
     "authorization_endpoint": appIDInfo['oauthServerUrl']+"/authorization",
     "token_endpoint": appIDInfo['oauthServerUrl']+"/token",
     "userinfo_endpoint": appIDInfo['profilesUrl']+"/api/v1/attributes",
     "jwks_uri": appIDInfo['oauthServerUrl']+"/publickeys"
}

appIDInfo is either obtained from the Cloud Foundry environment on IBM Cloud or can be configured manually with a structure like the following:

"AppID": {
     "clientId": "your App ID client Id",
     "managementUrl": "https://appid-management.ng.bluemix.net/management/v4/-----tenantID----",
     "oauthServerUrl": "https://appid-oauth.ng.bluemix.net/oauth/v3/-----tenantID----",
     "profilesUrl": "https://appid-profiles.ng.bluemix.net",
     "secret": "the App ID secret",
     "tenantId": "-----tenantID----",
     "version": 3
}

The clientId and secret would then be used to populate the client_info object required by Flask-pyoidc. I have sample code using Flask-pyoidc with App ID in a GitHub repository. It shows all the steps from the configuration to using the decorators to protect the app routes in Flask.