Page Menu
Home
Software Heritage
Search
Configure Global Search
Log In
Files
F7066661
D8125.id29355.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Subscribers
None
D8125.id29355.diff
View Options
diff --git a/swh/auth/keycloak.py b/swh/auth/keycloak.py
--- a/swh/auth/keycloak.py
+++ b/swh/auth/keycloak.py
@@ -1,11 +1,11 @@
-# Copyright (C) 2020-2021 The Software Heritage developers
+# Copyright (C) 2020-2022 The Software Heritage developers
# See the AUTHORS file at the top-level directory of this distribution
# License: GNU Affero General Public License version 3, or any later version
# See top-level LICENSE file for more information
import json
from typing import Any, Dict, Optional
-from urllib.parse import urlencode
+from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
# add ExpiredSignatureError alias to avoid leaking jose import
# in swh-auth client code
@@ -87,8 +87,19 @@
authorization URL
"""
auth_url = self._keycloak.auth_url(redirect_uri)
- if extra_params:
- auth_url += "&%s" % urlencode(extra_params)
+ # scope and state query parameters are now handled by auth_url method
+ # since python-keycloak 1.8.1,
+ # code below ensures those will be overridden if provided in extra_params
+ # TODO: remove that code and pass scope and state params to auth_url method
+ # once we use python-keycloak >= 1.8.1 in production
+ parsed_auth_url = urlparse(auth_url)
+ auth_url_qs = parse_qs(parsed_auth_url.query)
+ extra_params_qs = {k: [v] for k, v in extra_params.items()}
+ auth_url = urlunparse(
+ parsed_auth_url._replace(
+ query=urlencode({**auth_url_qs, **extra_params_qs}, doseq=True)
+ )
+ )
return auth_url
def authorization_code(
diff --git a/swh/auth/tests/test_keycloak.py b/swh/auth/tests/test_keycloak.py
--- a/swh/auth/tests/test_keycloak.py
+++ b/swh/auth/tests/test_keycloak.py
@@ -31,7 +31,9 @@
def test_keycloak_oidc_authorization_url(keycloak_oidc):
- actual_auth_uri = keycloak_oidc.authorization_url("http://redirect-uri", foo="bar")
+ actual_auth_uri = keycloak_oidc.authorization_url(
+ "http://redirect-uri", scope="openid", state="some-state", foo="bar"
+ )
expected_auth_url = keycloak_oidc.well_known()["authorization_endpoint"]
parsed_result = urlparse(actual_auth_uri)
@@ -43,6 +45,8 @@
"response_type": ["code"],
"redirect_uri": ["http://redirect-uri"],
"foo": ["bar"],
+ "scope": ["openid"],
+ "state": ["some-state"],
}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Nov 5 2024, 5:42 PM (11 w, 15 h ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3227689
Attached To
D8125: keycloak: Fix issue in authorization_url since python-keycloak 1.8.1
Event Timeline
Log In to Comment