sources/oauth: fix oidc well-known parsing (#7248)

This commit is contained in:
Jens L 2023-10-20 20:37:52 +02:00 committed by GitHub
parent cc781cad00
commit 7e213f3ca6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 10 deletions

View File

@ -71,15 +71,12 @@ class OAuthSourceSerializer(SourceSerializer):
text = exc.response.text if exc.response else str(exc) text = exc.response.text if exc.response else str(exc)
raise ValidationError({"oidc_well_known_url": text}) raise ValidationError({"oidc_well_known_url": text})
config = well_known_config.json() config = well_known_config.json()
try: if "issuer" not in config:
attrs["authorization_url"] = config["authorization_endpoint"] raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
attrs["access_token_url"] = config["token_endpoint"] attrs["authorization_url"] = config.get("authorization_endpoint", "")
attrs["profile_url"] = config["userinfo_endpoint"] attrs["access_token_url"] = config.get("token_endpoint", "")
inferred_oidc_jwks_url = config["jwks_uri"] attrs["profile_url"] = config.get("userinfo_endpoint", "")
except (IndexError, KeyError) as exc: inferred_oidc_jwks_url = config.get("jwks_uri", "")
raise ValidationError(
{"oidc_well_known_url": f"Invalid well-known configuration: {exc}"}
)
# Prefer user-entered URL to inferred URL to default URL # Prefer user-entered URL to inferred URL to default URL
jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url

View File

@ -38,7 +38,7 @@ def update_well_known_jwks(self: MonitoredTask):
for source_attr, config_key in source_attr_key: for source_attr, config_key in source_attr_key:
# Check if we're actually changing anything to only # Check if we're actually changing anything to only
# save when something has changed # save when something has changed
if getattr(source, source_attr) != config[config_key]: if getattr(source, source_attr, "") != config[config_key]:
dirty = True dirty = True
setattr(source, source_attr, config[config_key]) setattr(source, source_attr, config[config_key])
except (IndexError, KeyError) as exc: except (IndexError, KeyError) as exc:

View File

@ -50,6 +50,7 @@ class TestOAuthSource(TestCase):
def test_api_validate_openid_connect(self): def test_api_validate_openid_connect(self):
"""Test API validation (with OIDC endpoints)""" """Test API validation (with OIDC endpoints)"""
openid_config = { openid_config = {
"issuer": "foo",
"authorization_endpoint": "http://mock/oauth/authorize", "authorization_endpoint": "http://mock/oauth/authorize",
"token_endpoint": "http://mock/oauth/token", "token_endpoint": "http://mock/oauth/token",
"userinfo_endpoint": "http://mock/oauth/userinfo", "userinfo_endpoint": "http://mock/oauth/userinfo",