Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix role mapping in oauth2 authentication #4715

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix role mapping in oauth2 authentication #4715

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
11bc334
Fix role mapping in oauth2 authentication
pinmarva Nov 21, 2023
99b183d
Fix variable
pinmarva Nov 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions lemur/auth/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,15 +129,16 @@ def validate_id_token(id_token, client_id, jwks_url):

# validate your token based on the key it was signed with
try:
jwt.decode(
id_token_decoded = jwt.decode(
id_token, secret.decode("utf-8"), algorithms=[algo], audience=client_id
)
return id_token_decoded, None
except jwt.DecodeError:
return dict(message="Token is invalid"), 401
return None, dict(message="Token is invalid"), 401
except jwt.ExpiredSignatureError:
return dict(message="Token has expired"), 401
return None, dict(message="Token has expired"), 401
except jwt.InvalidTokenError:
return dict(message="Token is invalid"), 401
return None, dict(message="Token is invalid"), 401


def retrieve_user(user_api_url, access_token):
Expand All @@ -152,7 +153,9 @@ def retrieve_user(user_api_url, access_token):

headers = {}

if current_app.config.get("PING_INCLUDE_BEARER_TOKEN"):
if current_app.config.get("PING_INCLUDE_BEARER_TOKEN") and "ping" in current_app.config.get("ACTIVE_PROVIDERS"):
headers = {"Authorization": f"Bearer {access_token}"}
else:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If and else blocks are the same headers = {"Authorization": f"Bearer {access_token}"}, which seems incorrect. Not sure what code change you were going for. If you can correct it with the intended change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay @charhate.
Apparently, the Authorization header is omitted in the PING provider when PING_INCLUDE_BEARER_TOKEN is False or is omitted.
But for the oauth2 provider, the Authorization header is mandatory.

headers = {"Authorization": f"Bearer {access_token}"}

# retrieve information about the current user.
Expand Down Expand Up @@ -221,7 +224,7 @@ def create_user_roles(profile: dict) -> list[str]:
# If the IDP_GROUPS_TO_ROLES is empty or not set, nothing happens.
idp_group_to_role_map = current_app.config.get("IDP_ROLES_MAPPING", {})
matched_roles = [
idp_group_to_role_map[role] for role in profile.get(idp_groups_key, []) if role in idp_group_to_role_map
role_service.get_by_name(idp_group_to_role_map[role]) for role in profile.get(idp_groups_key, []) if role in idp_group_to_role_map
]
roles.extend(matched_roles)

Expand Down Expand Up @@ -536,7 +539,7 @@ def post(self):
)

jwks_url = current_app.config.get("PING_JWKS_URL")
error_code = validate_id_token(id_token, args["clientId"], jwks_url)
id_token_decoded, error_code = validate_id_token(id_token, args["clientId"], jwks_url)
if error_code:
return error_code

Expand Down Expand Up @@ -602,12 +605,12 @@ def post(self):
)

jwks_url = current_app.config.get("OAUTH2_JWKS_URL")
error_code = validate_id_token(id_token, args["clientId"], jwks_url)
id_token_decoded, error_code = validate_id_token(id_token, args["clientId"], jwks_url)
if error_code:
return error_code

user, profile = retrieve_user(user_api_url, access_token)
roles = create_user_roles(profile)
roles = create_user_roles(id_token_decoded)
user = update_user(user, profile, roles)

if not user.active:
Expand Down