diff --git a/rest_tools/server/handler.py b/rest_tools/server/handler.py index 7d18c6e2..95dea619 100644 --- a/rest_tools/server/handler.py +++ b/rest_tools/server/handler.py @@ -347,7 +347,7 @@ def initialize(self, oauth_client_id, oauth_client_secret, oauth_client_scope=No if oauth_client_scope: self.oauth_client_scope = oauth_client_scope.split() else: - self.oauth_client_scope = ['profile', 'groups'] + self.oauth_client_scope = ['openid', 'profile', 'groups'] if oauth_client_secret: self.oauth_client_scope.append('offline_access') @@ -398,6 +398,9 @@ async def get_authenticated_user( ) ret['id_token'] = tornado.escape.json_decode(response.body) + if ret.get('id_token') and isinstance(ret['id_token'], str): + ret['id_token'] = self.auth.validate(ret['id_token']) + try: self.auth.validate(ret['access_token']) except Exception: diff --git a/tests/unit_server/rest_handler_test.py b/tests/unit_server/rest_handler_test.py index a98be2f1..8939f651 100644 --- a/tests/unit_server/rest_handler_test.py +++ b/tests/unit_server/rest_handler_test.py @@ -167,11 +167,12 @@ async def test_openid_login_handler_get_authenticated_user(gen_keys, gen_keys_by ret = RestHandlerSetup({'auth': {'openid_url': 'http://foo'}}) handler.initialize('foo', 'bar', **ret) - token = auth.create_token('sub', headers={'kid': '123'}) + access_token = auth.create_token('sub', headers={'kid': '123'}) + id_token = auth.create_token('sub', headers={'kid': '123'}) user_info = { - 'id_token': '{"id": "foo"}', - 'access_token': token, + 'id_token': id_token, + 'access_token': access_token, 'expires_in': 3600, } @@ -184,7 +185,9 @@ async def fn(*args, **kwargs): handler.get_auth_http_client.return_value.fetch = MagicMock(side_effect=fn) state = {} ret = await handler.get_authenticated_user('redirect', 'code', state) - assert ret == user_info + user_info_ret = user_info.copy() + user_info_ret['id_token'] = auth.validate(id_token) + assert ret == user_info_ret def test_openid_login_handler_encode_decode_state(requests_mock):