Check Access Token for OIDC_GROUPS_ATTRIBUTE

[hahahannes]

Hi!

Thanks a lot for this plugin! I was trying it with my OAuth IP and in my specific case the attribute (OIDC_GROUPS_ATTRIBUTE) is part of the access token and not of the user token. I made some modifications in the code to check the access token as well. Are you interested in PR? I could also add a plugin but I was thinking that this use case might be common enough to include in the main code.

[NeroBlackstone]

This problem still exists in the latest version 3.0.

[kharkevich]

@NeroBlackstone could you please provide your token details, right now all information about the user retrieved from id token and normally it should be enough to recognize the user
https://github.com/data-platform-hq/mlflow-oidc-auth/blob/main/mlflow_oidc_auth/views/authentication.py#L29

[hahahannes]

I think he has a similar use case as me where the group is specified in the access token but not in the id token?

[NeroBlackstone]

Yes, as @hahahannes said, some Oauth2 providers do not return the groups field in the id token like gitlab.

And for GitLab, if the user does not join any group, both id token and userinfo will not have groups.

Then if you connect to GitLab's OAuth2, a 500 error will occur when access the callback URL because the groups field is not provided in both id token and userinfo:

Traceback (most recent call last):
  File "/home/gaowanxiang/.local/share/pipx/venvs/mlflow/lib/python3.12/site-packages/flask/app.py", line 1511, in wsgi_app
    response = self.full_dispatch_request()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/gaowanxiang/.local/share/pipx/venvs/mlflow/lib/python3.12/site-packages/flask/app.py", line 919, in full_dispatch_request
    rv = self.handle_user_exception(e)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/gaowanxiang/.local/share/pipx/venvs/mlflow/lib/python3.12/site-packages/flask/app.py", line 917, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/gaowanxiang/.local/share/pipx/venvs/mlflow/lib/python3.12/site-packages/flask/app.py", line 902, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/gaowanxiang/.local/share/pipx/venvs/mlflow/lib/python3.12/site-packages/mlflow_oidc_auth/views/authentication.py", line 47, in callback
    user_groups = token["userinfo"][config.OIDC_GROUPS_ATTRIBUTE]
                  ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'groups'

Obviously, no key "groups" in dict token["userinfo"] since no groups in id token payload and userinfo.