Merge PR #579 into 14.0

Signed-off-by sbidoul
OCA · Dec 4, 2023 · 5834366 · 5834366
2 parents 22dd7cc + b84b737
commit 5834366
Show file tree

Hide file tree

Showing 7 changed files with 320 additions and 17 deletions.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "14.0.1.0.2",
+    "version": "14.0.1.1.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
@@ -11,6 +11,7 @@
 
 try:
     from jose import jwt
+    from jose.exceptions import JWSError, JWTError
 except ImportError:
     logging.getLogger(__name__).debug("jose library not installed")
 
@@ -47,14 +48,18 @@ class AuthOauthProvider(models.Model):
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
 
     @tools.ormcache("self.jwks_uri", "kid")
-    def _get_key(self, kid):
+    def _get_keys(self, kid):
         r = requests.get(self.jwks_uri)
         r.raise_for_status()
         response = r.json()
-        for key in response["keys"]:
-            if key["kid"] == kid:
-                return key
-        return {}
+        # the keys returned here should follow
+        # JWS Notes on Key Selection
+        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
+        return [
+            key
+            for key in response["keys"]
+            if kid is None or key.get("kid", None) == kid
+        ]
 
     def _map_token_values(self, res):
         if self.token_map:
@@ -68,15 +73,34 @@ def _parse_id_token(self, id_token, access_token):
         self.ensure_one()
         res = {}
         header = jwt.get_unverified_header(id_token)
-        res.update(
-            jwt.decode(
-                id_token,
-                self._get_key(header.get("kid")),
-                algorithms=["RS256"],
-                audience=self.client_id,
-                access_token=access_token,
-            )
-        )
-
+        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
         res.update(self._map_token_values(res))
         return res
+
+    def _decode_id_token(self, access_token, id_token, kid):
+        keys = self._get_keys(kid)
+        if len(keys) > 1 and kid is None:
+            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
+            # If there are multiple keys in the referenced JWK Set document, a kid
+            # value MUST be provided in the JOSE Header.
+            raise JWTError(
+                "OpenID Connect requires kid to be set if there is more"
+                " than one key in the JWKS"
+            )
+        error = None
+        # we accept multiple keys with the same kid in case a key gets rotated.
+        for key in keys:
+            try:
+                values = jwt.decode(
+                    id_token,
+                    key,
+                    algorithms=["RS256"],
+                    audience=self.client_id,
+                    access_token=access_token,
+                )
+                return values
+            except (JWTError, JWSError) as e:
+                error = e
+        if error:
+            raise error
+        return {}
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
@@ -64,7 +64,12 @@ def auth_oauth(self, provider, params):
             raise AccessDenied()
         validation = oauth_provider._parse_id_token(id_token, access_token)
         # required check
-        if not validation.get("user_id"):
+        if "sub" in validation and "user_id" not in validation:
+            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
+            # claim:
+            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+            validation["user_id"] = validation["sub"]
+        elif not validation.get("user_id"):
             _logger.error("user_id claim not found in id_token (after mapping).")
             raise AccessDenied()
         # retrieve and sign in user

diff --git a/auth_oidc/readme/CONTRIBUTORS.rst b/auth_oidc/readme/CONTRIBUTORS.rst
@@ -1,2 +1,3 @@
 * Alexandre Fayolle <[email protected]>
 * Stéphane Bidoul <[email protected]>
+* Andreas Perhab <[email protected]>
diff --git a/auth_oidc/readme/HISTORY.rst b/auth_oidc/readme/HISTORY.rst
@@ -1,3 +1,18 @@
+14.0.1.1.0 2023-11-22
+~~~~~~~~~~~~~~~~~~~~~
+
+* Forward port OpenID Connect fixes from 13.0 to 14.0
+
+14.0.1.0.2 2022-03-14
+~~~~~~~~~~~~~~~~~~~~~
+
+* Fix werkzeug deprecated warning for url_encode, url decode
+
+14.0.1.0.1 2022-01-17
+~~~~~~~~~~~~~~~~~~~~~
+
+* Updated readme and pot
+
 14.0.1.0.0 2021-12-10
 ~~~~~~~~~~~~~~~~~~~~~