Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC token auth #1072

Merged
merged 2 commits into from
May 8, 2024
Merged

OIDC token auth #1072

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f869c58
Add new endpoint for oidc token auth
tomchop May 6, 2024
7aaa425
Adjust error message
tomchop May 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions core/web/apiv2/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import datetime
import json

from authlib.integrations.starlette_client import OAuth, OAuthError
from fastapi import APIRouter, Depends, HTTPException, Response, Security, status
Expand All @@ -9,6 +10,9 @@
OAuth2PasswordBearer,
OAuth2PasswordRequestForm,
)
from google.auth import exceptions as google_exceptions
from google.auth.transport import requests as google_requests
from google.oauth2 import id_token as google_oauth_id_token
from jose import JWTError, jwt
from starlette.requests import Request

Expand Down Expand Up @@ -179,6 +183,54 @@ async def oidc_callback(request: Request) -> RedirectResponse:
SESSION_STORE.add(access_token)
return response

@router.post("/oidc-callback-token")
async def oidc_api_callback(request: Request):
try:
req_body = await request.body()
id_token = json.loads(req_body)["id_token"]
idinfo = google_oauth_id_token.verify_oauth2_token(
id_token, google_requests.Request()
)
except (google_exceptions.GoogleAuthError, ValueError, KeyError) as error:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=f"Invalid token provided: {error}",
headers={"WWW-Authenticate": "Bearer"},
)

audience_client_ids = set(
yeti_config.get("auth", "oidc_extra_client_audiences", "").split(",")
)
audience_client_ids.add(yeti_config.get("auth", "oidc_client_id"))

if idinfo["aud"] not in audience_client_ids:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token is not intended for this application (audience mismatch)",
headers={"WWW-Authenticate": "Bearer"},
)

user = UserSensitive.find(username=idinfo["email"])
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid user. Please contact your server admin.",
headers={"WWW-Authenticate": "Bearer"},
)

if not user.enabled:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="User account disabled. Please contact your server admin.",
headers={"WWW-Authenticate": "Bearer"},
)

access_token = create_access_token(
data={"sub": user.username, "enabled": user.enabled},
expires_delta=ACCESS_TOKEN_EXPIRE_MINUTES,
)
return {"access_token": access_token, "token_type": "bearer"}


# We only want certain endpoints to be defined depending on the auth module.
if AUTH_MODULE == "local":
Expand Down
Loading