From 1381dfd47eabf5b19931847cd093a2e07dedb08b Mon Sep 17 00:00:00 2001
From: Tarashish Mishra <sunu0000@gmail.com>
Date: Fri, 19 Nov 2021 16:35:31 +0530
Subject: [PATCH] Fix issue with Google OAuth integration

OIDC doesn't specify the format for access_token. Some providers use it
as a JWT to store information about groups (eg: Keycloak), some don't
use it as a JWT (eg: Google).

So we try to parse it as a JWT but if that fails we ignore the error
and move on. In case the access_token is not an JWT, the groups info is
stored in the id_token and that's where we look.

Refs #2003
---
 aleph/oauth.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/aleph/oauth.py b/aleph/oauth.py
index f1eb20ffaf..bf22592f77 100644
--- a/aleph/oauth.py
+++ b/aleph/oauth.py
@@ -1,6 +1,8 @@
 import logging
+from pprint import pformat  # noqa
 from authlib.jose import JsonWebToken, JsonWebKey
 from authlib.integrations.flask_client import OAuth
+from authlib.jose.errors import DecodeError
 
 from aleph import settings
 
@@ -43,7 +45,13 @@ def load_key(header, payload):
 
 def _get_groups(provider, oauth_token, id_token):
     """Groups are not standardised in OIDC, so this is provider-specific."""
-    access_token = _parse_access_token(provider, oauth_token)
+    try:
+        access_token = _parse_access_token(provider, oauth_token)
+    except DecodeError:
+        # Failed to parse the access_token as JWT. Most probably, the required
+        # information about groups is in the id_token.
+        access_token = {}
+
     groups = []
 
     # Amazon Cognito