apple_auth: Remove decode_id_token override and update social-auth-core

[chdinesh1089]

Testing Plan:
https://circleci.com/gh/chdinesh1089/zulip/tree/apple_auth

[mateuszmandera]

I think this is why you're getting the mypy error for test_extra_settings. The way you're defining this AUDIENCE list here means it might end up being something like ["some.services.id", None]. That's not what we want. If BUNDLE_ID isn't specified, AUDIENCE should only have the services id

[gnprice]

Thanks @chdinesh1089 ! One comment below, apart from the spots Mateusz has mentioned.

[mateuszmandera]

Now that it's not just SAML using this code, we should update the comment above.

[andersk]

Do these or '' do anything? They’re already looked up with a default of '' above:

    first_name = kwargs['details'].get('first_name', '')
    last_name = kwargs['details'].get('last_name', '')

[chdinesh1089]

when the name details aren't sent by apple, python-social-auth sets first_name and last_name to None. Because of that return_data["full_name"] is getting the value "None None". Those or '' are used to avoid that.

[mateuszmandera]

In general this whole structure is kind of weird:

    if full_name is None:
        if not first_name and not last_name:
            # We need custom code here for any social auth backends
            # that don't provide name details feature.
            if (backend.name == 'apple'):
                # Apple authentication provides the user's name only
                # the very first time a user tries to login.  So if
                # the user aborts login or otherwise is doing this the
                # second time, we won't have any name data.  We handle
                # this by setting full_name to be the empty string.
                full_name = ""
            else:
                raise AssertionError("Social auth backend doesn't provide name")
    if full_name:
        return_data["full_name"] = full_name
    else:
        # In SAML authentication, the IdP may support only sending
        # the first and last name as separate attributes - in that case
        # we construct the full name from them.
        return_data["full_name"] = f"{first_name} {last_name}".strip()  # strip removes the unnecessary ' '
        return_data["full_name"] = f"{first_name or ''} {last_name or ''}".strip()  # strip removes the unnecessary ' '

The block if (backend.name == 'apple'): does nothing, because then we fall into the else condition of if full_name / else. I think this needs to be cleaned up.

[mateuszmandera]

This is not correct yet, having a None in this list is not something we want. The type should be List[str] and we should make mypy happy with it (by correctly defining this list in computed_settings - in a way the ensures mypy there are no None in there).

[mateuszmandera]

The changes that are related to the package update should be in the same commit as the update. The other things are good as separate commits.

[andersk]

Have you asked upstream why this hasn’t been released to PyPI?

[chdinesh1089]

No, just opened an issue asking. python-social-auth/social-core#485

[andersk]

Why Optional? Is None really a valid element of this list, or are you just missing a SOCIAL_AUTH_APPLE_CLIENT is not None check in computed_settings?

[chdinesh1089]

mypy gets that None from having SOCIAL_AUTH_APPLE_SERVICES_ID = get_secret('social_auth_apple_services_id', development_only=True) in default_settings.py where get_secret returns Optional[str].

[chdinesh1089]

Fixed with adding a SOCIAL_AUTH_APPLE_CLIENT is not None check.

[andersk]

Do these or '' do anything? They’re already looked up with a default of '' above:

    first_name = kwargs['details'].get('first_name', '')
    last_name = kwargs['details'].get('last_name', '')

[mateuszmandera]

this won't work correctly if e.g. first_name is the empty string rather than None. We want not name I think.

[chdinesh1089]

Ohh, I used is None thinking we'll restrict full_name = '' case with not name.
Can we change

    first_name = kwargs['details'].get('first_name', '')
    last_name = kwargs['details'].get('last_name', '')

to

    first_name = kwargs['details'].get('first_name')
    last_name = kwargs['details'].get('last_name')

so that this nice if line will still be correct?

[chdinesh1089]

@timabbott I think this is ready for review. Could you take a look?

[timabbott]

I don't understand the end state with first_name and last_name -- is the problem in part that the details object can contain None values for those properties now?

[chdinesh1089]

Yes, Only for apple, details object can contain first_name and last_name as None, because python social auth makes it None when apple doesn't send us name details because of user trying to re-attempt a failed registration/login(apple only sends name details the very first time user tries to log in).

[timabbott]

OK; we should look at reporting an issue with python-social-auth upstream for that; it's not the convention that project uses for other details objects AFAIK. @mateuszmandera I suppose should confirm.

[chdinesh1089]

yes, looks like it isn't the convention that the project uses, but that was an intentional change introduced in python-social-auth/social-core#465 The author of PR says

if there's no first/last name in the response return None so that the User model is not updated to empty strings if user_details is used in the pipeline

Python social auth says to avoid None in https://github.com/python-social-auth/social-core/blob/9d93069564a60495e0ebd697b33e16fcff14195b/social_core/backends/base.py#L176

@mateuszmandera Could you confirm if it is a mistake? (I'm not sure if it's a mistake as it got merged as some sort of a fix)

[mateuszmandera]

It does seem like perhaps the original intent was to use '' rather than None in PSA backends and the convention is generally respected, but for instance SAML doesn't follow it and can return Nones:

    # Attributes processing:
    def get_user_details(self, attributes):
        """
        Given the SAML attributes extracted from the SSO response, get
        the user data like name.
        """
        return {
            'fullname': self.get_attr(attributes, 'attr_full_name',
                                      OID_COMMON_NAME),
            'first_name': self.get_attr(attributes, 'attr_first_name',
                                        OID_GIVEN_NAME),
            'last_name': self.get_attr(attributes, 'attr_last_name',
                                       OID_SURNAME),
            'username': self.get_attr(attributes, 'attr_username',
                                      OID_USERID),
            'email': self.get_attr(attributes, 'attr_email',
                                   OID_MAIL),
        }

    def get_attr(self, attributes, conf_key, default_attribute):
        """
        Internal helper method.
        Get the attribute 'default_attribute' out of the attributes,
        unless self.conf[conf_key] overrides the default by specifying
        another attribute to use.
        """
        key = self.conf.get(conf_key, default_attribute)
        value = attributes[key] if key in attributes else None
        if isinstance(value, list):
            if len(value):
                value = value[0]
            else:
                value = None
        return value

Perhaps we should submit PRs to upstream for apple and SAML to fix this, but regardless I don't think we can rely on this convention being followed and we cannot be investigating if it's not suddenly being broken on every PSA version bump - so I'd say in our code we should handle the None possibility.

[mateuszmandera]

@chdinesh1089 Do you want to take care of submitting the PR to upstream?

[chdinesh1089]

Opened python-social-auth/social-core#490.

[timabbott]

What's the status of this PR? Are we blocked on upstream? And if not, @mateuszmandera are you happy with it?

[mateuszmandera]

@timabbott I don't believe we're blocked. The answer to the #15553 (comment) concern is that None is a permissible value for first_name and others, and the None value is the right one as explained on Dinesh's upstream PR discussion. So we need to handle it.

One controversy might that the new PSA version isn't released to pypi due to Travis failing, but as explained by python-social-auth/social-core#485 (comment) it seems safe to upgrade.

The commits LGTM, so should be ready for your review.

@chdinesh1089 Can you fix the conflict and post a link to the discussion on renaming the certificate file as reference since it seems useful to havae it here.

[chdinesh1089]

Rebased.
Link to discussion about renaming private key file: https://chat.zulip.org/#narrow/stream/3-backend/topic/apple.20auth/near/912392

[zulipbot]

Heads up @chdinesh1089, we just merged some commits that conflict with the changes your made in this pull request! You can review this repository's recent commits to see where the conflicts occur. Please rebase your feature branch against the upstream/master branch and resolve your pull request's merge conflicts accordingly.

[timabbott]

Merged as the series ending with 9583554 after rebasing. One thing to note is the PROVISION_VERSION bump here was wrong; 91.3 should increase to 92.0, not 92.3.