lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.55k stars 452 forks source link

keycloak group item is missing from UserInfo class #549

Closed flynn1973 closed 1 year ago

flynn1973 commented 1 year ago

Describe the bug data from session originates from keycloak

{'exp': 1686052038, 'iat': 1686051738, 'auth_time': 1686051738, 'jti': '53f39860-e50a-46ea-9b98-207277f9840c', 'iss': 'http://lpgaixmgmtlx01.sozvers.at:8989/realms/aix', 'aud': 'flask-oid-test', 'sub': '98fb0c33-d141-4a0d-a344-e118ae3efb91', 'typ': 'ID', 'azp': 'flask-oid-test', 'nonce': 'MrgTvE6BF3gUQiVAsNYO', 'session_state': 'fa213142-b8d1-4969-9c43-0708879efbdc', 'at_hash': 'QIh8_TNx7XBfa9UT1MlpOQ', 'acr': '1', 'sid': 'fa213142-b8d1-4969-9c43-0708879efbdc', 'email_verified': False, 'preferred_username': 'dabatestuser', 'given_name': '', 'family_name': '', 'group': ['dabatestgrp']}

trying to print "user.group" value

Traceback (most recent call last):
  File "/opt/freeware/lib/python3.7/site-packages/werkzeug/middleware/dispatcher.py", line 78, in __call__
    return app(environ, start_response)
  File "/opt/freeware/lib/python3.7/site-packages/flask/app.py", line 2552, in __call__
    return self.wsgi_app(environ, start_response)
  File "/opt/freeware/lib/python3.7/site-packages/flask/app.py", line 2532, in wsgi_app
    response = self.handle_exception(e)
  File "/opt/freeware/lib/python3.7/site-packages/flask/app.py", line 2529, in wsgi_app
    response = self.full_dispatch_request()
  File "/opt/freeware/lib/python3.7/site-packages/flask/app.py", line 1825, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/opt/freeware/lib/python3.7/site-packages/flask/app.py", line 1823, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/freeware/lib/python3.7/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/home/tremch/flask/authlib_keycloak_client_test/frontend/__init__.py", line 74, in index
    print(str(user.group))
  File "/opt/freeware/lib/python3.7/site-packages/authlib/oidc/core/claims.py", line 228, in __getattr__
    raise error
  File "/opt/freeware/lib/python3.7/site-packages/authlib/oidc/core/claims.py", line 224, in __getattr__
    return object.__getattribute__(self, key)
AttributeError: 'UserInfo' object has no attribute 'group'

after adding 'group' to UserInfo class

class UserInfo(dict):
    """The standard claims of a UserInfo object. Defined per `Section 5.1`_.

    .. _`Section 5.1`: http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
    """

    #: registered claims that UserInfo supports
    REGISTERED_CLAIMS = [
        'sub', 'name', 'given_name', 'family_name', 'middle_name', 'nickname',
        'preferred_username', 'profile', 'picture', 'website', 'email',
        'email_verified', 'gender', 'birthdate', 'zoneinfo', 'locale',
        'phone_number', 'phone_number_verified', 'address', 'updated_at', 'group',
    ]

works

root@host: /home/tremch/flask/authlib_keycloak_client_test # /opt/freeware/bin/python3 run.py
Using cacerts from /opt/freeware/lib/python3.7/site-packages/certifi/cacert.pem
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:8700
 * Running on http://172.16.84.106:8700
Press CTRL+C to quit
 * Restarting with stat
Using cacerts from /opt/freeware/lib/python3.7/site-packages/certifi/cacert.pem
 * Debugger is active!
 * Debugger PIN: 240-630-255
['dabatestgrp']
10.133.90.37 - - [06/Jun/2023 14:10:47] "GET / HTTP/1.1" 200 -
['dabatestgrp']
10.133.90.37 - - [06/Jun/2023 14:19:50] "GET / HTTP/1.1" 200 -
flynn1973 commented 1 year ago

oh...just noticed there seems to be some kind of odd "standard" behind what claims/items are allowed or not...so not sure if this is really a bug.

lepture commented 1 year ago

This is not a bug. You can access non-standards via

user.get("groups")