search

inveniosoftware / invenio-oauthclient

Invenio module that provides OAuth web authorization support.
https://invenio-oauthclient.readthedocs.io
MIT License
6 stars 74 forks source link

cern: lightweight account throws 500 #178

Closed ntarocco closed 5 years ago

ntarocco commented 5 years ago

This change has introduced a bug for lightweight accounts. CERN lightweight accounts do not have have a uidNumber, so when logging in you get a stack trace on external_id:

KeyError: 'uidNumber'

invenio_oauthclient/contrib/cern.py in account_info at line 262
def account_info(remote, resp):
    """Retrieve remote account information used to find local user."""
    resource = get_resource(remote)
    email = resource['EmailAddress'][0]
    external_id = resource['uidNumber'][0]
Click to see an example of a login with a lightweight CERN account

``` [ { "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "Value": "@gmail.com" }, { "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "Value": "@gmail.com" }, { "Type": "http://schemas.xmlsoap.org/claims/UPN", "Value": "@gmail.com" }, { "Type": "http://schemas.xmlsoap.org/claims/EmailAddress", "Value": "@gmail.com" }, { "Type": "http://schemas.xmlsoap.org/claims/CommonName", "Value": "j34hwtjhtg54g64j646g4" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Value": "CERN Externals" }, { "Type": "http://schemas.xmlsoap.org/claims/DisplayName", "Value": "@gmail.com" }, { "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "Value": "@gmail.com" }, { "Type": "http://schemas.xmlsoap.org/claims/PersonID", "Value": "-3243534" }, { "Type": "http://schemas.xmlsoap.org/claims/IdentityClass", "Value": "Unverified External" }, { "Type": "http://schemas.xmlsoap.org/claims/Federation", "Value": "CERN" }, { "Type": "http://schemas.xmlsoap.org/claims/AuthLevel", "Value": "Normal" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", "Value": "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant", "Value": "2018-10-19T13:53:34.834Z" }, { "Type": "urn:oauth:scope", "Value": "all" }, { "Type": "http://schemas.xmlsoap.org/claims/Group", "Value": "All Exchange People" } ] ```

Click to see an example of a login with a normal CERN account

``` [ { "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "Value": "@cern.ch" }, { "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "Value": "@cern.ch" }, { "Type": "http://schemas.xmlsoap.org/claims/UPN", "Value": "@cern.ch" }, { "Type": "http://schemas.xmlsoap.org/claims/EmailAddress", "Value": "@cern.ch" }, { "Type": "http://schemas.xmlsoap.org/claims/CommonName", "Value": "" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Value": "CERN Users" }, { "Type": "http://schemas.xmlsoap.org/claims/DisplayName", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/Building", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/Firstname", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/Lastname", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/Department", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/HomeInstitute", "Value": "CERN" }, { "Type": "http://schemas.xmlsoap.org/claims/PersonID", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/uidNumber", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/gidNumber", "Value": "" }, { "Type": "http://schemas.xmlsoap.org/claims/PreferredLanguage", "Value": "EN" }, { "Type": "http://schemas.xmlsoap.org/claims/IdentityClass", "Value": "CERN Registered" }, { "Type": "http://schemas.xmlsoap.org/claims/Federation", "Value": "CERN" }, { "Type": "http://schemas.xmlsoap.org/claims/AuthLevel", "Value": "Normal" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", "Value": "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password" }, { "Type": "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant", "Value": "2018-10-19T12:41:25.214Z" }, { "Type": "urn:oauth:scope", "Value": "all" }, { "Type": "http://schemas.xmlsoap.org/claims/Group", "Value": "All Exchange People" }, ... List of e-groups here ... ] ```

This is causing a 500 Internal Server Error.