Closed sdc50 closed 1 year ago
Is this related to #879 ?
I dug into the history a bit and discovered the change was made in PR #629 with the commit message "Pin pyjwt version as version 2.0 breaks PythonSocialAuth". I'm not sure if that means that it breaks all of PSA or just the custom bits we've added to it. This PR also included adding multi-tenant versions of several PSA backends.
@ezrajrice do you have an environment setup where you could verify this change doesn't cause problems?
PS - @sdc50 this is a prime example of why we need to preserve the history. ;)
I'd like to have @ezrajrice take a look at this as it may impact the multi-tenant auth features.
I'll work on setting up the environment tonight and get back to you in a timely manner. Note though that I currently only have a way to test the OneLogin tenant for MFA.
OS: Ubuntu 22.04
After updating social-auth-core from version 4.0.2 to 4.3.0, I was able to update pyjwt from 1.7.0 to 2.6.0.
I am using OneLogin MultiTenant configuration for this test and I am getting an error shown below. Not sure what's going on. I'm fairly sure I have it configured in the same way as a working config. The only difference is me trying to use the localhost redirect urls. Also, I checked the OneLogin logs and they show successful login to the dev app. It seems to me that there is something on the Tethys side blocking the final authentication.
AuthForbidden at /oauth2/complete/onelogin-oidc/
Your credentials aren't allowed
ERROR Internal Server Error: /oauth2/complete/onelogin-oidc/
Traceback (most recent call last):
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
return func(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/oauth.py", line 392, in auth_complete
response = self.request_access_token(
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/open_id_connect.py", line 231, in request_access_token
response = self.get_json(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 242, in get_json
return self.request(url, *args, **kwargs).json()
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 238, in request
response.raise_for_status()
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://dynamic-engineers-dev.onelogin.com/oidc/2/token
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 472, in thread_handler
raise exc_info[1]
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/exception.py", line 38, in inner
response = await get_response(request)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
response = await wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 435, in __call__
ret = await asyncio.wait_for(future, timeout=None)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
return await fut
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/current_thread_executor.py", line 22, in run
result = self.fn(*self.args, **self.kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 476, in thread_handler
return func(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
return view_func(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_django/utils.py", line 49, in wrapper
return func(request, backend, *args, **kwargs)
File "/home/ezra/.tethys/tethys4-dev/tethys/tethys_portal/views/psa.py", line 55, in complete
return do_complete(
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
user = backend.complete(user=user, *args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
return self.auth_complete(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 252, in wrapper
raise AuthForbidden(args[0])
social_core.exceptions.AuthForbidden: Your credentials aren't allowed
ERROR:django.request:Internal Server Error: /oauth2/complete/onelogin-oidc/
Traceback (most recent call last):
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
return func(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/oauth.py", line 392, in auth_complete
response = self.request_access_token(
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/open_id_connect.py", line 231, in request_access_token
response = self.get_json(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 242, in get_json
return self.request(url, *args, **kwargs).json()
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 238, in request
response.raise_for_status()
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://dynamic-engineers-dev.onelogin.com/oidc/2/token
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 472, in thread_handler
raise exc_info[1]
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/exception.py", line 38, in inner
response = await get_response(request)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
response = await wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 435, in __call__
ret = await asyncio.wait_for(future, timeout=None)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
return await fut
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/current_thread_executor.py", line 22, in run
result = self.fn(*self.args, **self.kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 476, in thread_handler
return func(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
return view_func(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_django/utils.py", line 49, in wrapper
return func(request, backend, *args, **kwargs)
File "/home/ezra/.tethys/tethys4-dev/tethys/tethys_portal/views/psa.py", line 55, in complete
return do_complete(
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
user = backend.complete(user=user, *args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
return self.auth_complete(*args, **kwargs)
File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 252, in wrapper
raise AuthForbidden(args[0])
social_core.exceptions.AuthForbidden: Your credentials aren't allowed
Further investigation suggests that pyjwt isn't in use for the OneLogin backend. Tethys is using python-jose version 3.3.0 which hasn't been updated since Jun 4, 2021. It's possible that this is interfering, but I haven't looked too deep into it. I don't know if the other backends would work, but at the very least, OneLogin seems to be broken with this package upgrade.
Thanks for investigating that @ezrajrice. This is exactly what I feared. If I remember right, OneLogin is the only one that depends on the python-jose. I had to roll some things manually for mutli-tenant features I think. I have a couple of ideas for resolving this:
The issue is I don't know if I'll have time to work on either anytime soon.
@swainn I can try to work on switching from python-jose for OneLogin, but I'll need someone else to confirm that the updates to social-auth-core and pyjwt don't break the other services.
@ezrajrice @sdc50 and I discussed this today during Tethys scrum. I think we have a temporary workaround that should work for both of you:
We are going to merge the unpinned requirement, but add a note to the SSO docs for OneLogin that will describe how to install Tethys with the pyjwt pinned to the version that works for OneLogin.
@sdc50 is also going to open a new issue that references the discussion on this PR and will serve as the driver for the long-term fix. Ultimately, we need to test all of our SSO backends with the newest version of Python Social Auth and fix the ones that are broken.
@swainn I can try to work on switching from python-jose for OneLogin, but I'll need someone else to confirm that the updates to social-auth-core and pyjwt don't break the other services.
I can test all of the other backends.
I'm not sure why pyjwt was pinned, but it's preventing other packages (e.g.
python-social-core
) from updating to the latest version.