Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix role mapping in oauth2 authentication #4715

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix role mapping in oauth2 authentication #4715

wants to merge 2 commits into from

Conversation

pinmarva
Copy link
Contributor

When logging in with an oauth provider, the default roles (admin, operator and read-only) are not assigned.
The problem is that the roles are not obtained from the OAUTH2_USER_API_URL. They are obtained from the id_token.

It is mandatory to add the "Authorization" header of the oidc2 providers to obtain the user's information.

@coveralls
Copy link

Coverage Status

coverage: 75.289%. remained the same
when pulling 99b183d on pinmarva:fix_oauth2_login
into 96c66ca on Netflix:main.

charhate
charhate requested changes Dec 12, 2023
View reviewed changes
lemur/auth/views.py
if current_app.config.get("PING_INCLUDE_BEARER_TOKEN"):
if current_app.config.get("PING_INCLUDE_BEARER_TOKEN") and "ping" in current_app.config.get("ACTIVE_PROVIDERS"):
headers = {"Authorization": f"Bearer {access_token}"}
else:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If and else blocks are the same headers = {"Authorization": f"Bearer {access_token}"}, which seems incorrect. Not sure what code change you were going for. If you can correct it with the intended change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay @charhate.
Apparently, the Authorization header is omitted in the PING provider when PING_INCLUDE_BEARER_TOKEN is False or is omitted.
But for the oauth2 provider, the Authorization header is mandatory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charhate charhate charhate requested changes

@hosseinsh hosseinsh Awaiting requested review from hosseinsh hosseinsh is a code owner

@jtschladen jtschladen Awaiting requested review from jtschladen jtschladen is a code owner

@douglasc-nflx douglasc-nflx Awaiting requested review from douglasc-nflx douglasc-nflx is a code owner

@jmcrawford45 jmcrawford45 Awaiting requested review from jmcrawford45 jmcrawford45 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pinmarva @coveralls @charhate