fix(sso): adapt to authlib 1.0.0 behaviour

A undocumented change[1] in authlib 1.0.0.

[1] authlib/authlib#400

Author: klausenbusk

test/test_sso.py

@@ -18,6 +18,7 @@
 from tracker.view.login import LOGIN_ERROR_MISSING_EMAIL_FROM_TOKEN
 from tracker.view.login import LOGIN_ERROR_MISSING_GROUPS_FROM_TOKEN
 from tracker.view.login import LOGIN_ERROR_MISSING_USER_SUB_FROM_TOKEN
+from tracker.view.login import LOGIN_ERROR_MISSING_USERINFO_FROM_TOKEN
 from tracker.view.login import LOGIN_ERROR_MISSING_USERNAME_FROM_TOKEN
 from tracker.view.login import LOGIN_ERROR_PERMISSION_DENIED
 from tracker.view.login import \
@@ -34,20 +35,23 @@
 
 class MockedIdp(object):
     def __init__(self, username=TESTINGNAME, email=DEFAULTEMAIL, sub=TESTINGSUB, groups=["Administrator"],
-                 verified=True, throws=None):
+                 verified=True, throws=None, has_userinfo=True):
         self.email = email
         self.sub = sub
         self.groups = groups
         self.verified = verified
         self.username = username
         self.throws = throws
+        self.has_userinfo = has_userinfo
 
     def authorize_access_token(self):
         if self.throws:
             raise self.throws
-        return "Schinken"
+        if self.has_userinfo:
+            return {'userinfo': self.parse_id_token(None, None)}
+        return {}
 
-    def parse_id_token(self, token):
+    def parse_id_token(self, token, nonce, claims_options=None, leeway=120):
         token = {}
         if self.sub is not None:
             token["sub"] = self.sub
@@ -147,6 +151,15 @@ def test_permission_denied_lack_of_group(app, db):
         assert not current_user.is_authenticated
         assert not User.query.all()
 
+@patch('tracker.oauth.idp', MockedIdp(has_userinfo=False), create=True)
+def test_missing_userinfo_from_token(app, db):
+    with app.test_request_context('/login'):
+        result = sso_auth()
+        assert BadRequest.code == result.status_code
+        assert LOGIN_ERROR_MISSING_USERINFO_FROM_TOKEN in result.data.decode()
+
+        assert not current_user.is_authenticated
+        assert not User.query.all()
 
 @patch('tracker.oauth.idp', MockedIdp(sub=None), create=True)
 def test_missing_sub_from_token(app, db):

tracker/view/login.py

@@ -34,6 +34,7 @@
 LOGIN_ERROR_MISSING_EMAIL_FROM_TOKEN = "Missing email address from token"
 LOGIN_ERROR_MISSING_USERNAME_FROM_TOKEN = "Missing username from token"
 LOGIN_ERROR_MISSING_GROUPS_FROM_TOKEN = "Missing groups from token"
+LOGIN_ERROR_MISSING_USERINFO_FROM_TOKEN = "Missing userinfo from token"
 
 
 @tracker.route('/login', methods=['GET', 'POST'])
@@ -86,27 +87,30 @@ def logout():
 def sso_auth():
     try:
         token = oauth.idp.authorize_access_token()
-        parsed_token = oauth.idp.parse_id_token(token)
     except AuthlibBaseError as e:
         return bad_request(f'{e.description}')
 
-    idp_user_sub = parsed_token.get('sub')
+    userinfo = token.get('userinfo')
+    if not userinfo:
+        return bad_request(LOGIN_ERROR_MISSING_USERINFO_FROM_TOKEN)
+
+    idp_user_sub = userinfo.get('sub')
     if not idp_user_sub:
         return bad_request(LOGIN_ERROR_MISSING_USER_SUB_FROM_TOKEN)
 
-    idp_email_verified = parsed_token.get('email_verified')
+    idp_email_verified = userinfo.get('email_verified')
     if not idp_email_verified:
         return forbidden(LOGIN_ERROR_EMAIL_ADDRESS_NOT_VERIFIED)
 
-    idp_email = parsed_token.get('email')
+    idp_email = userinfo.get('email')
     if not idp_email:
         return bad_request(LOGIN_ERROR_MISSING_EMAIL_FROM_TOKEN)
 
-    idp_username = parsed_token.get('preferred_username')
+    idp_username = userinfo.get('preferred_username')
     if not idp_username:
         return bad_request(LOGIN_ERROR_MISSING_USERNAME_FROM_TOKEN)
 
-    idp_groups = parsed_token.get('groups')
+    idp_groups = userinfo.get('groups')
     if idp_groups is None:
         return bad_request(LOGIN_ERROR_MISSING_GROUPS_FROM_TOKEN)