Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CILogon] Instructions for CILogon with Google OAuth use new Google API for oid, but CILogon uses an old OAuth API #522

Closed
GeorgianaElena opened this issue Jun 15, 2022 · 3 comments
Closed

[CILogon] Instructions for CILogon with Google OAuth use new Google API for oid, but CILogon uses an old OAuth API #522

GeorgianaElena opened this issue Jun 15, 2022 · 3 comments
Labels
bug

Comments

@GeorgianaElena
Copy link
Member

GeorgianaElena commented Jun 15, 2022
edited by choldgraf
Loading

Bug description

The allowed_idps dict is documented to expect its keys to be entity ids from the list provided by CILogon at https://cilogon.org/idplist.

oauthenticator/oauthenticator/cilogon.py

Line 113 in 333f356

See https://cilogon.org/idplist for the list of `EntityIDs` of each IdP.

However, the idp field of the userinfo response from CILogon

oauthenticator/oauthenticator/cilogon.py

Line 306 in f3af268

selected_idp = resp_json.get("idp")

is an old Google oidc endpoint, i.e. http://google.com/accounts/o8/id . I believe the OpenID Connect authorization endpoint to use instead is https://accounts.google.com/o/oauth2/v2/auth which is document at https://developers.google.com/identity/protocols/oauth2/openid-connect.

Expected + actual behaviour

I expected what CILogon would return in the userinfo dict would be the entity id in the list at https://cilogon.org/idplist, which is https://accounts.google.com/o/oauth2/auth, but is not, so when trying to use the Google identity provider, JupyterHub returns a 500 error.

How to reproduce

A config like:

c.CILogonOAuthenticator.allowed_idps = {
    'https://accounts.google.com/o/oauth2/auth': {
        'username_derivation': {
            'username_claim': 'email',
        }
    },
}

won't work, because it would think you're using an idp that wasn't authorized when logging in using Google (which is actually the opposite of what's wanted)

Possible solution

I opened an issue about it upstream also ncsa/oa4mp#45 and I believe solving that would also solve this issue.

In the meantime however, we should document which is the actual entity id of Google that is expected.
@GeorgianaElena GeorgianaElena changed the title [CILogon] Instructions of what allowed_idps dict keys should be not true for Google [CILogon] Instructions of what allowed_idps dict keys should be, are false for Google Jun 15, 2022
@GeorgianaElena GeorgianaElena mentioned this issue Jun 15, 2022
Closed
1 task
@choldgraf choldgraf changed the title [CILogon] Instructions of what allowed_idps dict keys should be, are false for Google [CILogon] Instructions for CILogon with Google OAuth use new Google API for oid, but CILogon uses an old OAuth API Jun 15, 2022
@terrencegf
Copy link

terrencegf commented Jun 24, 2022
edited
Loading

https://test.cilogon.org has been updated so that the entityID values reported by https://test.cilogon.org/idplist/ match the "idp" claim returned by the OAuth2/OIDC "userinfo" endpoint. See the upstream issue for details.

https://cilogon.org should be updated mid-July.

@terrencegf
Copy link

The update has been deployed to https://cilogon.org . Please contact [email protected] if the update does not solve this issue.

@GeorgianaElena
Copy link
Member Author

ncsa/oa4mp#45 has been fixed, so closing this one too! Thanks @terrencegf !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@terrencegf @GeorgianaElena