Merge pull request #1164 from lsst-sqre/tickets/DM-47760

DM-47760: Allow internal tokens on the OIDC userinfo route
lsst-sqre · Nov 22, 2024 · e52e7d9 · e52e7d9
2 parents 2ce3a6a + 17df643
commit e52e7d9
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 1 deletion.
diff --git a/changelog.d/20241122_115147_rra_DM_47760.md b/changelog.d/20241122_115147_rra_DM_47760.md
@@ -0,0 +1,3 @@
+### New features
+
+- Allow a client to present an internal token to the `/auth/openid/userinfo` endpoint. CADC's authenticator finds the userinfo endpoint via OpenID Connect configuration and presents whatever token it has to that endpoint, so this allows it to use the regular userinfo endpoint.
diff --git a/src/gafaelfawr/handlers/oidc.py b/src/gafaelfawr/handlers/oidc.py
@@ -310,7 +310,7 @@ async def get_userinfo(
     token_data: Annotated[TokenData, Depends(authenticate_token)],
     context: Annotated[RequestContext, Depends(context_dependency)],
 ) -> Mapping[str, Any]:
-    if token_data.token_type != TokenType.oidc:
+    if token_data.token_type not in (TokenType.internal, TokenType.oidc):
         msg = f"Token of type {token_data.token_type.value} not allowed"
         exc = InvalidTokenError(msg)
         raise generate_challenge(context, AuthType.Bearer, exc)

diff --git a/tests/handlers/oidc_test.py b/tests/handlers/oidc_test.py
@@ -1054,3 +1054,32 @@ async def test_basic_auth(
         "scope": "openid",
         "sub": token_data.username,
     }
+
+
+@pytest.mark.asyncio
+async def test_userinfo_internal(
+    client: AsyncClient, factory: Factory, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    """Test passing internal tokens to the userinfo endpoint."""
+    redirect_uri = "https://example.org/"
+    clients = [build_oidc_client("some-id", "some-secret", redirect_uri)]
+    await reconfigure(
+        "github-oidc-server", factory, monkeypatch, oidc_clients=clients
+    )
+    token_data = await create_session_token(factory, scopes=["read:all"])
+    token_service = factory.create_token_service()
+    internal_token = await token_service.get_internal_token(
+        token_data, "some-service", ["read:all"], ip_address="127.0.0.1"
+    )
+
+    r = await client.get(
+        "/auth/openid/userinfo",
+        headers={"Authorization": f"Bearer {internal_token}"},
+    )
+    assert r.status_code == 200
+    assert r.json() == {
+        "email": token_data.email,
+        "name": token_data.name,
+        "preferred_username": token_data.username,
+        "sub": token_data.username,
+    }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		### New features

		- Allow a client to present an internal token to the `/auth/openid/userinfo` endpoint. CADC's authenticator finds the userinfo endpoint via OpenID Connect configuration and presents whatever token it has to that endpoint, so this allows it to use the regular userinfo endpoint.