Skip to content

Commit

Permalink
Introduce "userdata_from_id_token" toggle
Browse files Browse the repository at this point in the history
  • Loading branch information
benjimin committed Feb 12, 2024
1 parent 37c153e commit 3ce8409
Showing 1 changed file with 27 additions and 7 deletions.
34 changes: 27 additions & 7 deletions oauthenticator/oauth2.py
Original file line number Diff line number Diff line change
Expand Up @@ -360,21 +360,36 @@ def _authorize_url_default(self):
def _token_url_default(self):
return os.environ.get("OAUTH2_TOKEN_URL", "")

userdata_from_id_token = Bool(
False,
config=True,
help="""
Extract user details from an id token received via a request to
:attr:`token_url`, rather than making a follow-up request to the
userinfo endpoint :attr:`userdata_url`.
Should only be used if :attr:`token_url` uses HTTPS, to ensure
token authenticity.
For more context, see `Authentication using the Authorization
Code Flow
<https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth>`_
in the OIDC Core standard document.
""",
)

userdata_url = Unicode(
config=True,
allow_none=True,
help="""
The URL to where this authenticator makes a request to acquire user
details with an access token received via a request to the
:attr:`token_url`.
If this is explicitly set to None, this authenticator will attempt
to instead use an id token if one was provided by the
:attr:`token_url`.
For more context, see the `Protocol Flow section
<https://www.rfc-editor.org/rfc/rfc6749#section-1.2>`_ in the OAuth2
standard document, specifically steps E-F.
Incompatible with :attr:`userdata_from_id_token`.
""",
)

Expand Down Expand Up @@ -869,7 +884,8 @@ async def token_to_user(self, token_info):
Determines who the logged-in user by sending a "GET" request to
:data:`oauthenticator.OAuthenticator.userdata_url` using the `access_token`.
If `userdata_url` is None, checks for an `id_token` instead.
If :data:`oauthenticator.OAuthenticator.userdata_from_id_token` is set then
extracts the corresponding info from an `id_token` instead.
Args:
token_info: the dictionary returned by the token request (exchanging the OAuth code for an Access Token)
Expand All @@ -879,8 +895,12 @@ async def token_to_user(self, token_info):
Called by the :meth:`oauthenticator.OAuthenticator.authenticate`
"""
if self.userdata_url is None:
if self.userdata_from_id_token:
# Use id token instead of exchanging access token with userinfo endpoint.
if self.userdata_url:
raise ValueError(
"Cannot specify both authenticator.userdata_url and authenticator.userdata_from_id_token."
)
id_token = token_info.get("id_token", None)
if not id_token:
raise web.HTTPError(
Expand Down

0 comments on commit 3ce8409

Please sign in to comment.