The OneLoginOIDC Oauth backend is not compatible with the latest version of social-auth-core

[sdc50]

From @ezrajrice

OS: Ubuntu 22.04

After updating social-auth-core from version 4.0.2 to 4.3.0, I was able to update pyjwt from 1.7.0 to 2.6.0.

I am using OneLogin MultiTenant configuration for this test and I am getting an error shown below. Not sure what's going on. I'm fairly sure I have it configured in the same way as a working config. The only difference is me trying to use the localhost redirect urls. Also, I checked the OneLogin logs and they show successful login to the dev app. It seems to me that there is something on the Tethys side blocking the final authentication.

AuthForbidden at /oauth2/complete/onelogin-oidc/
Your credentials aren't allowed

ERROR Internal Server Error: /oauth2/complete/onelogin-oidc/

Traceback (most recent call last):
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/oauth.py", line 392, in auth_complete
    response = self.request_access_token(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/open_id_connect.py", line 231, in request_access_token
    response = self.get_json(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 242, in get_json
    return self.request(url, *args, **kwargs).json()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 238, in request
    response.raise_for_status()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://dynamic-engineers-dev.onelogin.com/oidc/2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 472, in thread_handler
    raise exc_info[1]
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/exception.py", line 38, in inner
    response = await get_response(request)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
    response = await wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 435, in __call__
    ret = await asyncio.wait_for(future, timeout=None)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/current_thread_executor.py", line 22, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 476, in thread_handler
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/home/ezra/.tethys/tethys4-dev/tethys/tethys_portal/views/psa.py", line 55, in complete
    return do_complete(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 252, in wrapper
    raise AuthForbidden(args[0])
social_core.exceptions.AuthForbidden: Your credentials aren't allowed

ERROR:django.request:Internal Server Error: /oauth2/complete/onelogin-oidc/

Traceback (most recent call last):
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/oauth.py", line 392, in auth_complete
    response = self.request_access_token(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/open_id_connect.py", line 231, in request_access_token
    response = self.get_json(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 242, in get_json
    return self.request(url, *args, **kwargs).json()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 238, in request
    response.raise_for_status()
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://dynamic-engineers-dev.onelogin.com/oidc/2/token

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 472, in thread_handler
    raise exc_info[1]
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/exception.py", line 38, in inner
    response = await get_response(request)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/core/handlers/base.py", line 233, in _get_response_async
    response = await wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 435, in __call__
    ret = await asyncio.wait_for(future, timeout=None)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/asyncio/tasks.py", line 408, in wait_for
    return await fut
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/current_thread_executor.py", line 22, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/asgiref/sync.py", line 476, in thread_handler
    return func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/home/ezra/.tethys/tethys4-dev/tethys/tethys_portal/views/psa.py", line 55, in complete
    return do_complete(
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/home/ezra/miniconda/envs/tethys4-dev/lib/python3.10/site-packages/social_core/utils.py", line 252, in wrapper
    raise AuthForbidden(args[0])
social_core.exceptions.AuthForbidden: Your credentials aren't allowed

See discussion in #880

[sdc50]

@swainn I can try to work on switching from python-jose for OneLogin, but I'll need someone else to confirm that the updates to social-auth-core and pyjwt don't break the other services.

@ezrajrice my impression for the brief look that we took at this is that we don't need to switch from python-jose. At least, social-auth-core is still using it for their OIDC backend which the OneLoginOIDC backend is based on. If there is a way to avoid using python-jose then I think we should submit that to the social-auth-core repo to improve the whole project. In fact if possible, I would love to see the OIDC backend generalized enough that we can get it to work with OneLogin purely through configuration, rather than by subclassing. If that is not possible then we could contribute OneLogin as an official backend to social-auth-core and thereby get other in the community helping with the maintenence.

[swainn]

I would love to see the OIDC backend generalized enough that we can get it to work with OneLogin purely through configuration, rather than by subclassing.

To clarify, we need to subclass the OIDC backend to implement a OneLogin-specific backend. However, with some of the changes to the OIDC backend in the newest version, we may be close to being able to implement it without overriding any of the methods (i.e.: configuration).

That said, once we get it working, we ought to submit the OneLogin as an official backend.

[ezrajrice]

I FIGURED IT OUT!

In portal_config.yml, we need to add the SOCIAL_AUTH_ONELOGIN_OIDC_TOKEN_ENDPOINT_AUTH_METHOD setting for OneLogin. Below is the example for the single tenant configuration. The same process would be used for multi-tenant configuration, but you'd have to add it for each tenant. This setting defaults to GET if it isn't included. I just need to update the documentation so that this setting matches how the admin configured the SSO and then we can remove the custom method overrides for find_valid_key and validate_and_return_id_token.

settings:
  ...
  OAUTH_CONFIG:
    SOCIAL_AUTH_ONELOGIN_OIDC_KEY: <sso_key>
    SOCIAL_AUTH_ONELOGIN_OIDC_SECRET: <sso_secret>
    SOCIAL_AUTH_ONELOGIN_OIDC_SUBDOMAIN: https://example.onelogin.com
    SOCIAL_AUTH_ONELOGIN_OIDC_TOKEN_ENDPOINT_AUTH_METHOD: POST

[swainn]

Excellent @ezrajrice. Thank you for digging in on this issue. Will you prepare a PR with the needed doc changes?

[ezrajrice]

@swainn Yeah I'll get that in this week.

[swainn]

@ezrajrice any progress on this?

[ezrajrice]

@swainn yeah sorry, just trying to setup the upstream and rebase then I still need to update the docs.

Question though, how does the tethys settings --set OAUTH_CONFIG.XXX work? Does it check for specific keys only or can one specify anything and it gets set under the OAUTH_CONFIG section?

[swainn]

Question though, how does the tethys settings --set OAUTH_CONFIG.XXX work? Does it check for specific keys only or can one specify anything and it gets set under the OAUTH_CONFIG section?

Good question. I believe you can set arbitrary keys just like you can at the top level. Give it a try and let me know if it works.

[swainn]

Hey @ezrajrice we're likely releasing 4.2 next week, do you want to try to get this fix in for that?