[12.0] auth_oidc: fixes

[ap-wtioit]

• enable handling Open ID Connect without a custom mapping in Odoo
• enable handling Open ID Connect ID Tokens without key id

We are running this code for a few months on our servers now, so it was time to try to contribute back. The plan is to forward port it to 13.0, 14.0, 15.0, 16.0 (as we are running it for those versions too)

Info @wt-io-it

[OCA-git-bot]

Hi @sbidoul,
some modules you are maintaining are being modified, check this out!

[ap-wtioit]

Tests failing for travis_install_nightly because somehow they are still running with python3.5 and pylint-plugin-utils requires: Python >=3.6.2:

DEPRECATION: Python 3.5 reached the end of its life on September 13th, 2020. Please upgrade your Python as Python 3.5 is no longer maintained. pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will remove support for this functionality.

DEPRECATION: Python 3.5 reached the end of its life on September 13th, 2020. Please upgrade your Python as Python 3.5 is no longer maintained. pip 21.0 will drop support for Python 3.5 in January 2021. pip 21.0 will remove support for this functionality.

ERROR: Could not find a version that satisfies the requirement pylint-plugin-utils==0.7 (from -r /home/travis/maintainer-quality-tools/travis/pylint_odoo_requirements.txt (line 1)) (from versions: 0.1, 0.1.1, 0.2, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.6, 0.3, 0.4, 0.5, 0.6)

ERROR: No matching distribution found for pylint-plugin-utils==0.7 (from -r /home/travis/maintainer-quality-tools/travis/pylint_odoo_requirements.txt (line 1))

The command "travis_install_nightly" failed and exited with 1 during .

[sbidoul]

Trying to fix ci in #438

[sbidoul]

Thanks for this contrib. I've a couple of questions.

[sbidoul]

Suggested change

	* Fix handling OpenID Connect responses without custom mapping
	* Fix handling OpenID Connect responses without custom mapping by using the ``sub`` claim as user id

[ap-wtioit]

thanks, added

[sbidoul]

I'm not sure what that means. Do you have a link to the standard that talks about this?

[ap-wtioit]

When a JWKS has only one key it is not required for the signed ID Token to contain a kid parameter. Before the fix one would get an error like this in this case:

odoo_1                               | 2022-11-04 13:16:12,248 1 ERROR devel odoo.addons.auth_oauth.controllers.main: OAuth2: 'kid' 
odoo_1                               | Traceback (most recent call last):
odoo_1                               |   File "/opt/odoo/custom/src/odoo/odoo/tools/cache.py", line 88, in lookup
odoo_1                               |     r = d[key]
odoo_1                               |   File "/opt/odoo/custom/src/odoo/odoo/tools/func.py", line 69, in wrapper
odoo_1                               |     return func(self, *args, **kwargs)
odoo_1                               |   File "/opt/odoo/custom/src/odoo/odoo/tools/lru.py", line 44, in __getitem__
odoo_1                               |     a = self.d[obj].me
odoo_1                               | KeyError: ('auth.oauth.provider', <function AuthOauthProvider._get_key at 0x7f4d8d0d5950>, 'http://redacted.doodba/redacted/jwks', None)
odoo_1                               | 
odoo_1                               | During handling of the above exception, another exception occurred:
odoo_1                               | 
odoo_1                               | Traceback (most recent call last):
odoo_1                               |   File "/opt/odoo/auto/addons/auth_oauth/controllers/main.py", line 170, in signin
odoo_1                               |     credentials = env['res.users'].sudo().auth_oauth(provider, kw)
odoo_1                               |   File "/opt/odoo/auto/addons/auth_oidc/models/res_users.py", line 65, in auth_oauth
odoo_1                               |     validation = oauth_provider._parse_id_token(id_token, access_token)
odoo_1                               |   File "/opt/odoo/auto/addons/auth_oidc/models/auth_oauth_provider.py", line 75, in _parse_id_token
odoo_1                               |     self._get_key(header.get("kid", None)),
odoo_1                               |   File "<decorator-gen-116>", line 2, in _get_key
odoo_1                               |   File "/opt/odoo/custom/src/odoo/odoo/tools/cache.py", line 93, in lookup
odoo_1                               |     value = d[key] = self.method(*args, **kwargs)
odoo_1                               |   File "/opt/odoo/auto/addons/auth_oidc/models/auth_oauth_provider.py", line 55, in _get_key
odoo_1                               |     if key["kid"] == kid:
odoo_1                               | KeyError: 'kid'
odoo_1                               | 2022-11-04 13:16:12,250 1 INFO devel werkzeug: 172.16.3.129 - - [04/Nov/2022 13:16:12] "GET /auth_oauth/signin?code=redacted&state=redacted HTTP/1.0" 303 - 2 0.001 0.362

I updated the fix to handle only the case where a ID Token without kid in header is used with a JWKS that contains a single key.

from OpenID Connect Core Section 10.1

If there are multiple keys in the referenced JWK Set document, a kid value MUST be provided in the JOSE Header

[sbidoul]

Do you have link to the spec that shows that kid can contain a list?
I don't find that in https://openid.net/specs/openid-connect-core-1_0.html for instance.

[ap-wtioit]

i interpreted the following:

If there are multiple keys in the referenced JWK Set document, a kid value MUST be provided in the JOSE Header

from OpenID Connect Core Section 10.1

As the kid is optional. And missed the as long as there is only one key in the JWK Set (jwks_uri) part. So with your question in mind, it should be unique and not a list. (An our current provider implementation is wrong). I will update the merge request.

[ap-wtioit]

i updated the commit to only handle cases for JWKS with a single key

[ap-wtioit]

Well, as i started checking our implementation of JWK, i checked the docs again

OpenID ID Token Validation
Would be our starting point.
Step 6:

If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.

Would be the one that defines we MUST validate the signature according to JWS

JWS Note on Key Seelection
Defines which keys should be considered.
Step 2:

Filter the set of collected keys. For instance, some applications will use only keys referenced by "kid" (key ID) or "x5t" (X.509 certificate SHA-1 thumbprint) parameters. If the application uses the "alg" (algorithm), "use" (public key use), or "key_ops" (key operations) parameters, keys with keys with inappropriate values of those parameters would be excluded. Additionally, keys might be filtered to include or exclude keys with certain other member values in an application specific manner. For some applications, no filtering will be applied

And the following sections all sound like we should allow multiple keys (so the initial for loop was more correct than the current implementation)

So it seems for OpenID Connect:

• when no kid is specified in ID Token, the JWKS can only contain one key (According to the OpenID Connect Spec)
• when kid is specified in ID Token we need to find the matching Key from JWKS because there can be multiple keys for the same kid. The note at the end of
  JWS Note on Key Seelection explicitly allow the behaviour of checking the signature against all keys with the same kid:

Note that it is reasonable for some applications to perform signature
or MAC validation prior to making a trust decision about a key, since
keys for which the validation fails need no trust decision.

As JWS only specifies key selection i would conclude that if ID Token gives no kid it is just a missing hint for the correct key so it should still be allowed to have an ID Token without a kid and a JWKS with a single key that has a kid and validate against it.

[sbidoul]

This looks like a useful improvement, thanks.

[sbidoul]

I think it would be easier to read (by me at least :) if it was if kid is None: return somekey else: return key["kid"].

And, do you have a standard reference that says which key should be used in that case? Here you take the "first" one. But why the first?

[ap-wtioit]

Well, no i do not take the first one. I only take the key that has no kid specified. As this is only allowed when only one key is specified in the JWKS it should be also the first (and last) one.

Your proposed code would get rid of the check that if ID Token has no kid specified in header the JWKS also needs to have no kid specified for the key.

[ap-wtioit]

As per my findings in #436 (comment) i would roll back the roll back of the for loop (So we have a _get_keys() again).

And i would also change the code so an ID Token without a kid can match a single key in JWKS.

@sbidoul Let me know if this approach looks good to you.

[sbidoul]

Yes, sounds good, thanks!

[hbrunn]

@ap-wtioit please rebase

[ap-wtioit]

@hbrunn i rebased the pull request

[hbrunn]

@sbidoul could you re-review?

[github-actions]

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

[hbrunn]

@sbidoul can you have another look?

[github-actions]

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

[ap-wtioit]

@sbidoul do you have some time to review this again?

[sbidoul]

Tests are red due to auth_saml which has a dependency on lasso which is not available on PyPI.
So merging manually, as I don't see an easy way out for lasso.