Authenticating using Generic provider in panel v1.3.4

[simonaay]

I am unfortunate to share that there's still an issue when authenticating using the generic provider. When I want to extract the access_token using pn.state.access_token, an error occurs when falling into the decode_token(access_token) method where it seems the access_token in my case does not need to be decoded again as it is well received when calling self._decode_cookie('access_token').

In short, the version works well if I comment the last 3 lines of the following method in state.py:

    @property
    def access_token(self) -> str | None:
        """
        Returns the OAuth access_token if enabled.
        """
        if self.user in self._oauth_user_overrides and 'access_token' in self._oauth_user_overrides[self.user]:
            return self._oauth_user_overrides[self.user]['access_token']
        access_token = self._decode_cookie('access_token')
        if not access_token:
            return
        # decoded_token = decode_token(access_token)
        # if decoded_token['exp'] <= dt.datetime.now(dt.timezone.utc).timestamp():
        #     return None
        return access_token

Let me know if I can assist on this. Thank you for the prompt upgrade.

[simonaay]

Hi @philippjfr ,

I was just about to send an update from my side. I will send it anyways and let me know if this got resolved from your side. Thanks.

---

My access token is not the actual access_token but rather the reference of the access_token whereby we are using to request the user info saved in my identity server. The following is an example of my reference access_token received by our identity server: 1lrWfuej74JD5aB8VMxv75I6_FBYzPhCUxF9MOIkg5w

That being said, when received at access_token = self._decode_cookie('access_token') line, we extract it using pn.state.access_token for it to be used as part of a GET request method to call for the user information. The issue lies in the decode_token(access_token) method where it goes through the else statement, where no modification is needed. The underlying error is received upon decoding (utf-8) the reference access_token at the return statement level. One way to resolve this is to be handled before/when going through the commented lines of code. Another way would be to bypass it with the self._oauth_user_overrides argument, but I think this is restricted to be a direct input in the CLI command according to what I understood in the source code. It might not be helpful for my case but worth trying. would you be able to guide me through its usage? There is no reference in the documentation about it.

[philippjfr]

Sounds like it is a valid access_token, it's just not a valid JWT token, which is fine and should be supported. Adding the try/except around the decode_token should resolve your situation and return the access_token you were expecting, if the access_token also happens to be a JWT token then the decode_token step will succeed and we can confirm that it is not expired.

[simonaay]

Great to hear that. Thanks!

[simonaay]

Hi @philippjfr ,
I just tried Panel v1.3.6 and authenticating/authorizing is running back normally. Thanks for your effort.
However, the logged error is still appearing: ERROR: panel.auth - GenericLoginHandler token payload did not contain expected 'name'.
Thought to let you know.