Skip to content

Commit

Permalink
Ensure OAuth falls back to OpenID userinfo if id_token is not suffici…
Browse files Browse the repository at this point in the history 
…ent (#5939)

* Ensure OAuth falls back to OpenID userinfo if id_token is not sufficient

* Apply suggestions from code review
  • Loading branch information
@philippjfr
philippjfr authored Nov 29, 2023
1 parent 2fe1537 commit cc9400a
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions panel/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -237,9 +237,13 @@ async def _fetch_access_token(
if expires_in:
expires_in = int(expires_in)
if id_token:= body.get('id_token'):
log.debug("%s successfully obtained tokens.", type(self).__name__)
user = self._on_auth(id_token, access_token, refresh_token, expires_in)
return user, access_token, refresh_token, expires_in
try:
user = self._on_auth(id_token, access_token, refresh_token, expires_in)
except HTTPError:
pass
else:
log.debug("%s successfully obtained access_token and id_token.", type(self).__name__)
return user, access_token, refresh_token, expires_in

user_headers = dict(self._API_BASE_HEADERS)
if self._access_token_header:
Expand All @@ -250,21 +254,22 @@ async def _fetch_access_token(
else:
user_url = '{}{}'.format(self._OAUTH_USER_URL, body['access_token'])

log.debug("%s requesting OpenID userinfo.", type(self).__name__)
try:
user_response = await http.fetch(user_url, headers=user_headers)
id_token = decode_response_body(user_response)
except HTTPClientError:
id_token = None

if not id_token:
log.debug("%s could not obtain id_token, falling back to decoding access_token.", type(self).__name__)
log.debug("%s could not obtain userinfo or id_token, falling back to decoding access_token.", type(self).__name__)
try:
id_token = decode_token(body['access_token'])
except Exception:
log.debug("%s could not decode access_token.", type(self).__name__)
self._raise_error(response, body, status=401)

log.debug("%s successfully obtained tokens.", type(self).__name__)
log.debug("%s successfully obtained access_token and userinfo.", type(self).__name__)
user = self._on_auth(id_token, access_token, refresh_token, expires_in)
return user, access_token, refresh_token, expires_in

Expand Down

0 comments on commit cc9400a

Please sign in to comment.