diff --git a/swh/auth/django/utils.py b/swh/auth/django/utils.py --- a/swh/auth/django/utils.py +++ b/swh/auth/django/utils.py @@ -80,7 +80,8 @@ user = oidc_user_from_decoded_token(decoded_token, client_id=oidc_client.client_id) # get authentication init datetime - auth_datetime = datetime.fromtimestamp(decoded_token["auth_time"]) + auth_time = decoded_token.get("auth_time", decoded_token["iat"]) + auth_datetime = datetime.fromtimestamp(auth_time) exp_datetime = datetime.fromtimestamp(decoded_token["exp"]) # compute OIDC tokens expiration date diff --git a/swh/auth/pytest_plugin.py b/swh/auth/pytest_plugin.py --- a/swh/auth/pytest_plugin.py +++ b/swh/auth/pytest_plugin.py @@ -102,13 +102,18 @@ if userinfo is not None: decoded = {**decoded, **userinfo} # tweak auth and exp time for tests - expire_in = decoded["exp"] - decoded["auth_time"] + auth_time = decoded.get("auth_time", decoded["iat"]) + expire_in = decoded["exp"] - auth_time if self.exp is not None: decoded["exp"] = self.exp - decoded["auth_time"] = self.exp - expire_in + auth_time = self.exp - expire_in + decoded["iat"] = auth_time + decoded["auth_time"] = auth_time else: - decoded["auth_time"] = int(datetime.now(tz=timezone.utc).timestamp()) - decoded["exp"] = decoded["auth_time"] + expire_in + now = int(datetime.now(tz=timezone.utc).timestamp()) + decoded["iat"] = now + decoded["auth_time"] = now + decoded["exp"] = now + expire_in decoded["groups"] = self.user_groups decoded["aud"] = [self.client_id, "account"] decoded["azp"] = self.client_id diff --git a/swh/auth/tests/sample_data.py b/swh/auth/tests/sample_data.py --- a/swh/auth/tests/sample_data.py +++ b/swh/auth/tests/sample_data.py @@ -18,18 +18,19 @@ "sub": "feacd344-b468-4a65-a236-14f61e6b7200", } +IAT = 1614786418 +EXP = IAT + 300 # Decoded token (out of the access token) DECODED_TOKEN = { "jti": "31fc50b7-bbe5-4f51-91ef-8e3eec51331e", - "exp": 1614787019, + "exp": EXP, "nbf": 0, - "iat": 1582723101, + "iat": IAT, "iss": "http://localhost:8080/auth/realms/SoftwareHeritage", "aud": [CLIENT_ID, "account"], "typ": "Bearer", "azp": CLIENT_ID, - "auth_time": 1614786418, "session_state": "d82b90d1-0a94-4e74-ad66-dd95341c7b6d", "acr": "1", "allowed-origins": ["*"], diff --git a/swh/auth/tests/test_keycloak.py b/swh/auth/tests/test_keycloak.py --- a/swh/auth/tests/test_keycloak.py +++ b/swh/auth/tests/test_keycloak.py @@ -82,9 +82,9 @@ actual_decoded_data2 = copy(actual_decoded_data) expected_decoded_token = copy(DECODED_TOKEN) - for dynamic_valued_key in ["exp", "auth_time"]: - actual_decoded_data2.pop(dynamic_valued_key) - expected_decoded_token.pop(dynamic_valued_key) + for dynamic_valued_key in ["exp", "iat", "auth_time"]: + actual_decoded_data2.pop(dynamic_valued_key, None) + expected_decoded_token.pop(dynamic_valued_key, None) assert actual_decoded_data2 == expected_decoded_token