fix openid handler for newer keycloak

rest_tools/server/handler.py

@@ -347,7 +347,7 @@ def initialize(self, oauth_client_id, oauth_client_secret, oauth_client_scope=No
         if oauth_client_scope:
             self.oauth_client_scope = oauth_client_scope.split()
         else:
-            self.oauth_client_scope = ['profile', 'groups']
+            self.oauth_client_scope = ['openid', 'profile', 'groups']
             if oauth_client_secret:
                 self.oauth_client_scope.append('offline_access')
 
@@ -398,6 +398,9 @@ async def get_authenticated_user(
             )
             ret['id_token'] = tornado.escape.json_decode(response.body)
 
+        if ret.get('id_token') and isinstance(ret['id_token'], str):
+            ret['id_token'] = self.auth.validate(ret['id_token'])
+
         try:
             self.auth.validate(ret['access_token'])
         except Exception:

tests/unit_server/rest_handler_test.py

@@ -167,11 +167,12 @@ async def test_openid_login_handler_get_authenticated_user(gen_keys, gen_keys_by
     ret = RestHandlerSetup({'auth': {'openid_url': 'http://foo'}})
     handler.initialize('foo', 'bar', **ret)
 
-    token = auth.create_token('sub', headers={'kid': '123'})
+    access_token = auth.create_token('sub', headers={'kid': '123'})
+    id_token = auth.create_token('sub', headers={'kid': '123'})
 
     user_info = {
-        'id_token': '{"id": "foo"}',
-        'access_token': token,
+        'id_token': id_token,
+        'access_token': access_token,
         'expires_in': 3600,
     }
 
@@ -184,7 +185,9 @@ async def fn(*args, **kwargs):
     handler.get_auth_http_client.return_value.fetch = MagicMock(side_effect=fn)
     state = {}
     ret = await handler.get_authenticated_user('redirect', 'code', state)
-    assert ret == user_info
+    user_info_ret = user_info.copy()
+    user_info_ret['id_token'] = auth.validate(id_token)
+    assert ret == user_info_ret
 
 
 def test_openid_login_handler_encode_decode_state(requests_mock):