Page MenuHomeSoftware Heritage

auth/backends: Simplify and improve OIDC authentication
ClosedPublic

Authored by anlambert on Wed, Mar 25, 1:59 PM.

Details

Summary

While working on T2267, I noticed a couple of improvements could be added to the
OIDC auth backend implementation:

  • there is no need to query the userinfo endpoint of the OIDC server when authenticating as those information can also be found in the decoded access token
  • use a more reliable access token expiration date (use exp timestamp in decoded token)
  • check groups claim is present in decoded token before trying to read it

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert created this revision.Wed, Mar 25, 1:59 PM
anlambert updated this revision to Diff 10251.Wed, Mar 25, 2:07 PM

Update some comments and docstrings.

ardumont accepted this revision.Thu, Mar 26, 7:07 PM
ardumont added a subscriber: ardumont.

lgtm

This revision is now accepted and ready to land.Thu, Mar 26, 7:07 PM
anlambert updated this revision to Diff 10304.Thu, Mar 26, 9:35 PM

Update: Check groups claim is present in decoded token before trying to read it.

anlambert edited the summary of this revision. (Show Details)Thu, Mar 26, 9:35 PM