Skip to content

Commit

Permalink
fix(plugins): oidc_config_url usage and expired token fix (#1346)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jlahovnik
jlahovnik authored Oct 31, 2024
1 parent 4e7645e commit 5c96977
Show file tree
Hide file tree
Showing 8 changed files with 291 additions and 240 deletions.
10 changes: 5 additions & 5 deletions eodag/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -557,11 +557,11 @@ class MetadataPreMapping(TypedDict, total=False):
client_id: str
#: :class:`~eodag.plugins.authentication.openid_connect.OIDCRefreshTokenBase` The OIDC provider's client secret
client_secret: str
#: :class:`~eodag.plugins.authentication.keycloak.KeycloakOIDCPasswordAuth`
#: Base url used in the request to fetch the token
auth_base_uri: str
#: :class:`~eodag.plugins.authentication.keycloak.KeycloakOIDCPasswordAuth` Keycloak realm
realm: str
#: :class:`~eodag.plugins.authentication.openid_connect.OIDCRefreshTokenBase`
#: The OIDC provider's ``.well-known/openid-configuration`` url.
oidc_config_url: str
#: :class:`~eodag.plugins.authentication.openid_connect.OIDCRefreshTokenBase` The OIDC token audiences
allowed_audiences: List[str]
#: :class:`~eodag.plugins.authentication.openid_connect.OIDCAuthorizationCodeFlowAuth`
#: Whether a user consent is needed during the authentication or not
user_consent_needed: str
Expand Down
38 changes: 17 additions & 21 deletions eodag/plugins/authentication/keycloak.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,16 +47,17 @@ class KeycloakOIDCPasswordAuth(OIDCRefreshTokenBase):
:param config: Authentication plugin configuration:
* :attr:`~eodag.config.PluginConfig.type` (``str``) (**mandatory**): KeycloakOIDCPasswordAuth
* :attr:`~eodag.config.PluginConfig.auth_base_uri` (``str``) (**mandatory**): base url
used in the request to fetch the token
* :attr:`~eodag.config.PluginConfig.realm` (``str``) (**mandatory**): keycloak realm
* :attr:`~eodag.config.PluginConfig.oidc_config_url` (``str``) (**mandatory**):
The url to get the OIDC Provider's endpoints
* :attr:`~eodag.config.PluginConfig.client_id` (``str``) (**mandatory**): keycloak client id
* :attr:`~eodag.config.PluginConfig.client_secret` (``str``) (**mandatory**): keycloak
client secret, set to null if no secret is used
* :attr:`~eodag.config.PluginConfig.token_provision` (``str``) (**mandatory**): if the
token should be added to the query string (``qs``) or to the header (``header``)
* :attr:`~eodag.config.PluginConfig.token_qs_key` (``str``): (**mandatory if token_provision=qs**)
key of the param added to the query string
* :attr:`~eodag.config.PluginConfig.allowed_audiences` (``List[str]``) (**mandatory**):
The allowed audiences that have to be present in the user token.
* :attr:`~eodag.config.PluginConfig.auth_error_code` (``int``): which error code is
returned in case of an authentication error
* :attr:`~eodag.config.PluginConfig.ssl_verify` (``bool``): if the ssl certificates
Expand All @@ -71,8 +72,7 @@ class KeycloakOIDCPasswordAuth(OIDCRefreshTokenBase):
...
auth:
plugin: KeycloakOIDCPasswordAuth
auth_base_uri: 'https://somewhere/auth'
realm: 'the-realm'
oidc_config_url: 'https://somewhere/auth/realms/realm/.well-known/openid-configuration'
client_id: 'SOME_ID'
client_secret: '01234-56789'
token_provision: qs
Expand All @@ -88,8 +88,7 @@ class KeycloakOIDCPasswordAuth(OIDCRefreshTokenBase):
...
auth:
plugin: KeycloakOIDCPasswordAuth
auth_base_uri: 'https://somewhere/auth'
realm: 'the-realm'
oidc_config_url: 'https://somewhere/auth/realms/realm/.well-known/openid-configuration'
client_id: 'SOME_ID'
client_secret: '01234-56789'
token_provision: header
Expand All @@ -98,8 +97,12 @@ class KeycloakOIDCPasswordAuth(OIDCRefreshTokenBase):
"""

GRANT_TYPE = "password"
TOKEN_URL_TEMPLATE = "{auth_base_uri}/realms/{realm}/protocol/openid-connect/token"
REQUIRED_PARAMS = ["auth_base_uri", "client_id", "client_secret", "token_provision"]
REQUIRED_PARAMS = [
"oidc_config_url",
"client_id",
"client_secret",
"token_provision",
]

def __init__(self, provider: str, config: PluginConfig) -> None:
super(KeycloakOIDCPasswordAuth, self).__init__(provider, config)
Expand All @@ -120,10 +123,9 @@ def authenticate(self) -> AuthBase:
Makes authentication request
"""
self.validate_config_credentials()
access_token = self._get_access_token()
self.token_info["access_token"] = access_token
self._get_access_token()
return CodeAuthorizedAuth(
self.token_info["access_token"],
self.access_token,
self.config.token_provision,
key=getattr(self.config, "token_qs_key", None),
)
Expand All @@ -139,10 +141,7 @@ def _request_new_token(self) -> Dict[str, Any]:
ssl_verify = getattr(self.config, "ssl_verify", True)
try:
response = self.session.post(
self.TOKEN_URL_TEMPLATE.format(
auth_base_uri=self.config.auth_base_uri.rstrip("/"),
realm=self.config.realm,
),
self.token_endpoint,
data=dict(req_data, **credentials),
headers=USER_AGENT,
timeout=HTTP_REQ_TIMEOUT,
Expand All @@ -161,15 +160,12 @@ def _get_token_with_refresh_token(self) -> Dict[str, str]:
"client_id": self.config.client_id,
"client_secret": self.config.client_secret,
"grant_type": "refresh_token",
"refresh_token": self.token_info["refresh_token"],
"refresh_token": self.refresh_token,
}
ssl_verify = getattr(self.config, "ssl_verify", True)
try:
response = self.session.post(
self.TOKEN_URL_TEMPLATE.format(
auth_base_uri=self.config.auth_base_uri.rstrip("/"),
realm=self.config.realm,
),
self.token_endpoint,
data=req_data,
headers=USER_AGENT,
timeout=HTTP_REQ_TIMEOUT,
Expand Down
Loading

0 comments on commit 5c96977

Please sign in to comment.