From 761d3e482cee3c4322488de269c00e8dfcd8d4fa Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 21 Jan 2020 13:05:39 +0100
Subject: [PATCH 1/3] auth_oidc: use simple strings in exceptions (#39136)

---
 src/authentic2_auth_oidc/backends.py |  2 +-
 src/authentic2_auth_oidc/utils.py    | 23 ++++++++++++-----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/authentic2_auth_oidc/backends.py b/src/authentic2_auth_oidc/backends.py
index 83d99e66..9bc9012f 100644
--- a/src/authentic2_auth_oidc/backends.py
+++ b/src/authentic2_auth_oidc/backends.py
@@ -45,7 +45,7 @@ class OIDCBackend(ModelBackend):
             id_token = utils.IDToken(id_token)
             id_token.deserialize(provider)
         except utils.IDTokenError as e:
-            logger.warning(u'auth_oidc: invalid id_token %r: %s', id_token, e)
+            logger.warning(u'auth_oidc: invalid id_token %s: %s', original_id_token, e)
             return None
 
         try:
diff --git a/src/authentic2_auth_oidc/utils.py b/src/authentic2_auth_oidc/utils.py
index ecf797bd..26ef4570 100644
--- a/src/authentic2_auth_oidc/utils.py
+++ b/src/authentic2_auth_oidc/utils.py
@@ -27,7 +27,7 @@ from authentic2.decorators import GlobalCache
 from authentic2.models import Attribute
 from authentic2.a2_rbac.utils import get_default_ou
 
-from jwcrypto.jwt import JWT, JWTMissingKey
+from jwcrypto.jwt import JWT, JWTMissingKey, JWTMissingKeyID
 from jwcrypto.jwk import JWK
 from jwcrypto.common import (JWException, InvalidJWAAlgorithm, json_decode,
         base64url_encode)
@@ -74,18 +74,19 @@ def parse_id_token(encoded, provider):
     jwt.deserialize(encoded, None)
     header = jwt.token.jose_header
 
-    if header['alg'] in ('RS256', 'RS384', 'RS512'):
-        key = provider.jwkset.get_key(kid=header.get('kid'))
+    alg = header.get('alg')
+
+    if alg in ('RS256', 'RS384', 'RS512'):
+        kid = header.get('kid')
+        if not kid:
+            raise JWTMissingKeyID()
+        key = provider.jwkset.get_key(kid=kid)
         if not key:
-            raise JWTMissingKey(
-                    _('Unknown RSA key identifier %(kid)s for provider %(provider)s') %
-                            {'kid': header.get('kid'), 'provider': provider})
-    elif header['alg'] in ('HS256', 'HS384', 'HS512'):
-        key = JWK(kty='oct', k=base64url_encode(
-                provider.client_secret.encode('utf-8')))
+            raise JWTMissingKey('Key ID %r not in key set' % kid)
+    elif alg in ('HS256', 'HS384', 'HS512'):
+        key = JWK(kty='oct', k=base64url_encode(provider.client_secret.encode('utf-8')))
     else:
-        raise InvalidJWAAlgorithm(
-                _('Unsupported %s signature algorithm') % header['alg'])
+        raise InvalidJWAAlgorithm(repr(alg))
 
     jwt = JWT()
     jwt.deserialize(encoded, key)
-- 
2.24.0