Projet

Général

Profil

0001-auth_oidc-check-required-claims-only-from-the-idtoke.patch

Benjamin Dauvergne, 21 juin 2022 14:48

Télécharger (4,22 ko)

Voir les différences: 

Subject: [PATCH] auth_oidc: check required claims only from the idtoken or the
 user_info endpoint not both (#66445)


 src/authentic2_auth_oidc/backends.py | 30 ++++++++++++----------
 tests/test_auth_oidc.py              | 38 ++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 14 deletions(-)
src/authentic2_auth_oidc/backends.py
207 207 
            if claim_mapping.required:
208 208 
                if '{{' in claim or '{%' in claim:
209 209 
                    logger.warning('claim \'%r\' is templated, it cannot be set as required')
210 
                elif claim_mapping.idtoken_claim and claim not in id_token:
211 
                    logger.warning(
212 
                        'auth_oidc: cannot create user missing required claim %r in id_token (%r)',
213 
                        claim,
214 
                        id_token,
215 
                    )
216 
                    return None
217 
                elif not user_info or claim not in user_info:
218 
                    logger.warning(
219 
                        'auth_oidc: cannot create user missing required claim %r in user_info (%r)',
220 
                        claim,
221 
                        user_info,
222 
                    )
223 
                    return None
210 
                elif claim_mapping.idtoken_claim:
211 
                    if claim not in id_token:
212 
                        logger.warning(
213 
                            'auth_oidc: cannot create user missing required claim %r in id_token (%r)',
214 
                            claim,
215 
                            id_token,
216 
                        )
217 
                        return None
218 
                else:  # claim from the user_info endpoint
219 
                    if not user_info or claim not in user_info:
220 
                        logger.warning(
221 
                            'auth_oidc: cannot create user missing required claim %r in user_info (%r)',
222 
                            claim,
223 
                            user_info,
224 
                        )
225 
                        return None
224 226 

  		




  225
  227
  
    
        # find en email in mappings

  		




  226
  228
  
    
        email = None

  		












  

    
      tests/test_auth_oidc.py
    
  





  1269
  1269
  
    
    assert second_authenticator.claim_mappings.get().pk == second_provider_claim_mapping.pk

  		




  1270
  1270
  
    
    assert second_authenticator.accounts.count() == 1

  		




  1271
  1271
  
    
    assert second_authenticator.accounts.get().pk == second_provider_account.pk

  		




  
  1272
  
    

  		




  
  1273
  
    

  		




  
  1274
  
    
def test_only_idtoken_claims(app, caplog, code, oidc_provider, oidc_provider_jwkset):

  		




  
  1275
  
    
    oidc_provider.claim_mappings.update(idtoken_claim=True)

  		




  
  1276
  
    
    response = app.get('/').maybe_follow()

  		




  
  1277
  
    
    assert oidc_provider.name in response.text

  		




  
  1278
  
    
    response = response.click(oidc_provider.name)

  		




  
  1279
  
    
    location = urllib.parse.urlparse(response.location)

  		




  
  1280
  
    
    query = QueryDict(location.query)

  		




  
  1281
  
    
    state = query['state']

  		




  
  1282
  
    
    nonce = query['nonce']

  		




  
  1283
  
    

  		




  
  1284
  
    
    # sub=john.doe

  		




  
  1285
  
    
    extra_id_token = {

  		




  
  1286
  
    
        'given_name': 'John',

  		




  
  1287
  
    
        'family_name': 'Doe',

  		




  
  1288
  
    
        'email': 'john.doe@example.com',

  		




  
  1289
  
    
    }

  		




  
  1290
  
    
    with utils.check_log(caplog, 'missing required claim'):

  		




  
  1291
  
    
        with oidc_provider_mock(

  		




  
  1292
  
    
            oidc_provider,

  		




  
  1293
  
    
            oidc_provider_jwkset,

  		




  
  1294
  
    
            code,

  		




  
  1295
  
    
            nonce=nonce,

  		




  
  1296
  
    
        ):

  		




  
  1297
  
    
            response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})

  		




  
  1298
  
    
        assert User.objects.count() == 0

  		




  
  1299
  
    

  		




  
  1300
  
    
    with utils.check_log(caplog, 'auth_oidc: created user'):

  		




  
  1301
  
    
        with oidc_provider_mock(

  		




  
  1302
  
    
            oidc_provider,

  		




  
  1303
  
    
            oidc_provider_jwkset,

  		




  
  1304
  
    
            code,

  		




  
  1305
  
    
            nonce=nonce,

  		




  
  1306
  
    
            extra_id_token=extra_id_token,

  		




  
  1307
  
    
        ):

  		




  
  1308
  
    
            response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})

  		




  
  1309
  
    
        assert User.objects.count() == 1

  		




  1272
  
  
    
-