Page MenuHomeSoftware Heritage

auth/backends: Simplify and improve OIDC authentication
ClosedPublic

Authored by anlambert on Mar 25 2020, 1:59 PM.

Details

Summary

While working on T2267, I noticed a couple of improvements could be added to the
OIDC auth backend implementation:

  • there is no need to query the userinfo endpoint of the OIDC server when authenticating as those information can also be found in the decoded access token
  • use a more reliable access token expiration date (use exp timestamp in decoded token)
  • check groups claim is present in decoded token before trying to read it

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Update some comments and docstrings.

This revision is now accepted and ready to land.Mar 26 2020, 7:07 PM

Update: Check groups claim is present in decoded token before trying to read it.