Page MenuHomeSoftware Heritage

keycloak: Fix issue in authorization_url since python-keycloak 1.8.1
ClosedPublic

Authored by anlambert on Jul 15 2022, 3:10 PM.

Details

Summary

The scope and state query parameters in the authorization URL are now
handled by the KeycloakOpenID.auth_url method since the release of
python-keycloak 1.8.1 (see commit and recent build failure).

To keep backward compatibility with older python-keycloak versions, like
the one used in production, while ensuring support for recent ones we need
to ensure scope and state query parameters will be overridden if provided
in extra_params dict.

Before ending up with that fix, I tried to upgrade the custom python3-keycloak
debian package we are using in production. Unfortunately, it depends on python3-jose 3.3.0
which cannot currently be built for debian buster as a newer version of python3-ecdsa
is required, the one packaged in buster being too old (see package build log).

Diff Detail

Repository
rDAUTH Common authentication libraries
Branch
python-keycloak-1.8.1-fix
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 30433
Build 47574: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 47573: arc lint + arc unit

Event Timeline

Build is green

Patch application report for D8125 (id=29355)

Rebasing onto a5b0f4dc8e...

Current branch diff-target is up to date.
Changes applied before test
commit 6bdc229ceecd654f4a4db33ba14cae8466d6f5df
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Fri Jul 15 14:56:18 2022 +0200

    keycloak: Fix issue in authorization_url since python-keycloak 1.8.1
    
    The scope and state query parameters in the authorization URL are now
    handled by the KeycloakOpenID.auth_url method since the release of
    python-keycloak 1.8.1.
    
    To keep backward compatibility with older python-keycloak versions, like
    the one used in production, while ensuring support for recent ones we need
    to ensure scope and state query parameters will be overridden if provided
    in extra_params dict.

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/94/ for more details.

vlorentz added a subscriber: vlorentz.
vlorentz added inline comments.
swh/auth/keycloak.py
96–101

slightly simpler IMO

This revision is now accepted and ready to land.Jul 15 2022, 3:43 PM
swh/auth/keycloak.py
96–101

right, thanks !

Build is green

Patch application report for D8125 (id=29356)

Rebasing onto a5b0f4dc8e...

Current branch diff-target is up to date.
Changes applied before test
commit 6c85751c2be061a890605e0a6256548f24bcc20f
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Fri Jul 15 14:56:18 2022 +0200

    keycloak: Fix issue in authorization_url since python-keycloak 1.8.1
    
    The scope and state query parameters in the authorization URL are now
    handled by the KeycloakOpenID.auth_url method since the release of
    python-keycloak 1.8.1.
    
    To keep backward compatibility with older python-keycloak versions, like
    the one used in production, while ensuring support for recent ones we need
    to ensure scope and state query parameters will be overridden if provided
    in extra_params dict.

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/95/ for more details.