search

dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/
BSD 3-Clause "New" or "Revised" License
4.64k stars 1.36k forks source link

get_oauth_user_info seems to parse the wrong field #1638

Closed melazarus closed 10 months ago

melazarus commented 3 years ago

Environment

I'm using Airflow 2.0.2 with Flask-Appbuilder version 3.2.3

pip freeze output: Flask==1.1.2 Flask-AppBuilder==3.2.3 Flask-Babel==1.0.0 Flask-Caching==1.10.1 Flask-JWT-Extended==3.25.1 Flask-Login==0.4.1 Flask-OpenID==1.2.5 Flask-SQLAlchemy==2.5.1 Flask-WTF==0.14.3

The issue:

def get_oauth_user_info in manager.py section: if provider == "azure" seems to look in the the "id_token" for a "upn" value. when debugging I noticed that there is no upn value in the id_token dict but at the same time there is an access_token dict which has the "upn" value.

dpgaspar commented 3 years ago

@melazarus,

Thank you for reporting this, can you provide a sanitised debug log chunk that contains the output from https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L597

melazarus commented 3 years ago

Sure, if I have sanitised to much let me know. I have tested locally by exchanging the id_token with the access_token and that seems to work, I can create a pull request if you like.

here is the the debug output you asked:

airflow-webserver_1 | [2021-05-11 09:53:29,386] {manager.py:597} DEBUG - Azure response received : { 'token_type': 'Bearer', 'scope': 'email Mail.Read openid profile User.Read', 'expires_in': 3599, 'ext_expires_in': 3599, 'accesstoken': '<Removed by me, see sanitize decoded version of this JWT string below>_', 'idtoken': '<Removed by me, see sanitize decoded version of this JWT string below>_', 'expires_at': 1620730408 }

<--------- access_token decoded value ---------> { "aud": SANITIZED, "iss": "https://sts.windows.net/SANITIZED/", "iat": SANITIZED, "nbf": SANITIZED, "exp": SANITIZED, "acct": 0, "acr": "1", "acrs": [ "urn:user:registersecurityinfo", "urn:microsoft:req1", "urn:microsoft:req2", "urn:microsoft:req3", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "c10", "c11", "c12", "c13", "c14", "c15", "c16", "c17", "c18", "c19", "c20", "c21", "c22", "c23", "c24", "c25" ], "aio": "SANITIZED", "amr": [ "pwd", "mfa" ], "app_displayname": "Airflow IdP AWS v2", "appid": "SANITIZED", "appidacr": "1", "family_name": "SANITIZED", "given_name": "SANITIZED", "idtyp": "user", "ipaddr": "SANITIZED", "name": "SANITIZED", "oid": "SANITIZED", "platf": "3", "puid": "SANITIZED", "rh": "SANITIZED", "scp": "email Mail.Read openid profile User.Read", "signin_state": [ "kmsi" ], "sub": "SANITIZED", "tenant_region_scope": "EU", "tid": "SANITIZED", "unique_name": "SANITIZED", "upn": "SANITIZED", "uti": "SANITIZED", "ver": "1.0", "wids": [ "SANITIZED" ], "xms_st": { "sub": "SANITIZED" }, "xms_tcdt": SANITIZED }

<--------- id_token decoded value ---------> { "aud": "SANITIZED", "iss": "https://login.microsoftonline.com/SANITIZED/v2.0", "iat": SANITIZED, "nbf": SANITIZED, "exp": SANITIZED, "email": "SANITIZED", "name": "SANITIZED", "nonce": "SANITIZED", "oid": "SANITIZED", "preferred_username": "SANITIZED", "rh": "SANITIZED", "sub": "SANITIZED", "tid": "SANITIZED", "uti": "SANITIZED", "ver": "2.0" }

dpgaspar commented 10 months ago

latest 4.3.9 replaced upn by email but still using the id_token #2121