sources/oauth: fix oidc well-known parsing (#7248)

This commit is contained in:
Jens L 2023-10-20 20:37:52 +02:00 committed by GitHub
parent cc781cad00
commit 7e213f3ca6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 10 deletions

View file

@ -71,15 +71,12 @@ class OAuthSourceSerializer(SourceSerializer):
text = exc.response.text if exc.response else str(exc)
raise ValidationError({"oidc_well_known_url": text})
config = well_known_config.json()
try:
attrs["authorization_url"] = config["authorization_endpoint"]
attrs["access_token_url"] = config["token_endpoint"]
attrs["profile_url"] = config["userinfo_endpoint"]
inferred_oidc_jwks_url = config["jwks_uri"]
except (IndexError, KeyError) as exc:
raise ValidationError(
{"oidc_well_known_url": f"Invalid well-known configuration: {exc}"}
)
if "issuer" not in config:
raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
attrs["authorization_url"] = config.get("authorization_endpoint", "")
attrs["access_token_url"] = config.get("token_endpoint", "")
attrs["profile_url"] = config.get("userinfo_endpoint", "")
inferred_oidc_jwks_url = config.get("jwks_uri", "")
# Prefer user-entered URL to inferred URL to default URL
jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url

View file

@ -38,7 +38,7 @@ def update_well_known_jwks(self: MonitoredTask):
for source_attr, config_key in source_attr_key:
# Check if we're actually changing anything to only
# save when something has changed
if getattr(source, source_attr) != config[config_key]:
if getattr(source, source_attr, "") != config[config_key]:
dirty = True
setattr(source, source_attr, config[config_key])
except (IndexError, KeyError) as exc:

View file

@ -50,6 +50,7 @@ class TestOAuthSource(TestCase):
def test_api_validate_openid_connect(self):
"""Test API validation (with OIDC endpoints)"""
openid_config = {
"issuer": "foo",
"authorization_endpoint": "http://mock/oauth/authorize",
"token_endpoint": "http://mock/oauth/token",
"userinfo_endpoint": "http://mock/oauth/userinfo",