Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth.py _parse_access_token function uses access_token instead of id_token #2003

Open
keanpaderes opened this issue Oct 7, 2021 · 3 comments
Open

oauth.py _parse_access_token function uses access_token instead of id_token #2003

keanpaderes opened this issue Oct 7, 2021 · 3 comments
Assignees
@sunu
Labels
backend Issues related to Aleph’s backend, API, CLI etc. bug Things that should work, but don’t

Comments

@keanpaderes
Copy link

keanpaderes commented Oct 7, 2021
edited
Loading

OS: MacOS Catalina 10.15.7
Docker Version: 20.10.7
Aleph Version: 3.11.0

Good day! We stumbled upon an error while integrating Google OAuth to our Aleph Instance. We have traced the problem to aleph/aleph/oauth.py, specifically the _parse_access_token function (line 28). In its current form, it uses the access_token property which leads to an error when authlib's JsonWebToken.decode function parses it as access_token is not JWT. It should use id_token property which is also available in the oauth_token parameter and we confirmed that it works when we applied the change on our local image.

Screen Shot 2021-10-07 at 4 29 30 PM
@sunu
Copy link
Contributor

sunu commented Oct 7, 2021

Thanks @keanpaderes! We have had users who couldn't set up Aleph to use Google OAuth. So thank you for diagnosing the issue!
We'll try to implement a fix soon.

@sunu sunu added the bug Things that should work, but don’t label Oct 7, 2021
@Rosencrantz Rosencrantz added the backend Issues related to Aleph’s backend, API, CLI etc. label Oct 12, 2021
@keanpaderes keanpaderes mentioned this issue Nov 8, 2021
Closed
@thimios
Copy link

thimios commented Nov 9, 2021

#2054

@thimios thimios mentioned this issue Nov 9, 2021
Closed
@sunu
Copy link
Contributor

sunu commented Nov 11, 2021

Hey everyone, I know multiple people are facing this same issue and we want to help fix it soon. But unfortunately we are blocked on some urgent internal work at the moment. We'll get to fixing the issue as soon as we can and ship it in the next Aleph release.

@sunu sunu self-assigned this Nov 19, 2021
sunu added a commit that referenced this issue Nov 19, 2021
@sunu
Fix issue with Google OAuth integration
1381dfd 
OIDC doesn't specify the format for access_token. Some providers use it
as a JWT to store information about groups (eg: Keycloak), some don't
use it as a JWT (eg: Google).

So we try to parse it as a JWT but if that fails we ignore the error
and move on. In case the access_token is not an JWT, the groups info is
stored in the id_token and that's where we look.

Refs #2003
@sunu sunu mentioned this issue Nov 19, 2021
Merged
sunu added a commit that referenced this issue Nov 29, 2021
@sunu
Merge pull request #2062 from alephdata/sunu/#2003-google-oauth
22b3999 
Fix issue with Google OAuth integration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sunu sunu

Labels
backend Issues related to Aleph’s backend, API, CLI etc. bug Things that should work, but don’t
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thimios @Rosencrantz @sunu @keanpaderes