From f1f9ce2a223b96af84ac62cc5dec1f64ebd51a59 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 21 Jun 2022 13:41:58 +0200 Subject: [PATCH] auth_oidc: check required claims only from the idtoken or the user_info endpoint not both (#66445) --- src/authentic2_auth_oidc/backends.py | 30 +++++++++++++++------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/src/authentic2_auth_oidc/backends.py b/src/authentic2_auth_oidc/backends.py index fa02e6f4..c96680b9 100644 --- a/src/authentic2_auth_oidc/backends.py +++ b/src/authentic2_auth_oidc/backends.py @@ -207,20 +207,22 @@ class OIDCBackend(ModelBackend): if claim_mapping.required: if '{{' in claim or '{%' in claim: logger.warning('claim \'%r\' is templated, it cannot be set as required') - elif claim_mapping.idtoken_claim and claim not in id_token: - logger.warning( - 'auth_oidc: cannot create user missing required claim %r in id_token (%r)', - claim, - id_token, - ) - return None - elif not user_info or claim not in user_info: - logger.warning( - 'auth_oidc: cannot create user missing required claim %r in user_info (%r)', - claim, - user_info, - ) - return None + elif claim_mapping.idtoken_claim: + if claim not in id_token: + logger.warning( + 'auth_oidc: cannot create user missing required claim %r in id_token (%r)', + claim, + id_token, + ) + return None + else: # claim from the user_info endpoint + if not user_info or claim not in user_info: + logger.warning( + 'auth_oidc: cannot create user missing required claim %r in user_info (%r)', + claim, + user_info, + ) + return None # find en email in mappings email = None -- 2.35.1