End of userinfo changes

NotChristianGarcia · NotChristianGarcia · commit d1e9e806e53a · 2025-04-04T08:11:03.000-07:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # image: tapis/authenticator
-FROM tapis/flaskbase:1.8.0
+FROM tapis/flaskbase:1.8.1
 
 COPY requirements.txt /home/tapis/requirements.txt
 RUN pip install -r /home/tapis/requirements.txt
diff --git a/service/auth.py b/service/auth.py
@@ -159,14 +159,6 @@ def authentication():
                 # overwrite the headers via wsgi environ. request.headers itself is read-only
                 tapis_token = auth_token.replace('Bearer ', '')
                 logger.debug(f"found auth header; setting environ X-Tapis-Token to {tapis_token}")
-
-                # tokens might have aud, if jwt.decode in tapisservice doesn't specify expected aud you'll
-                # get invalid aud. Either we can somehow pop aud or specify to jwt.decode(options={'verify_aud': False})
-                # Instead of verify = false we can also specify a list of valid auds. Pop aud would require
-                # re-encoding+sigining key. We don't have private tenant key in auth though. Ignoring for now, only
-                # bookstack looks for this when running their auth.
-                # resolve_tenant_id_for_request decode needs aud to expect - https://github.com/jpadilla/pyjwt/blob/master/docs/usage.rst#audience-claim-aud
-
                 # modify the WSGI environment directly
                 # wsgi requires headers be uppercase, no dashes, and prefixed with HTTP_
                 request.environ['HTTP_X_TAPIS_TOKEN'] = tapis_token
@@ -176,11 +168,19 @@ def authentication():
         # debug logs
         try:
             headers = request.headers
-            logger.debug(f"before auth.authentication(). request.headers: {headers}")
+            logger.debug(f"before auth.authentication(). request.headers: {headers.keys()}")
         except Exception as e:
             pass
-        
-        auth.authentication()
+
+        # tokens might have aud, if jwt.decode in tapisservice doesn't specify expected aud you'll
+        # get invalid aud. Either we can somehow pop aud or specify to jwt.decode(options={'verify_aud': False})
+        # Instead of verify = false we can also specify a list of valid auds. Pop aud would require
+        # re-encoding+signing key. We don't have private tenant key in auth though. Ignoring for now, only
+        # bookstack looks for this when running their auth.
+        # resolve_tenant_id_for_request decode needs aud to expect - https://github.com/jpadilla/pyjwt/blob/master/docs/usage.rst#audience-claim-aud
+        # Edit, expected_aud now exists. Bookstack asks for aud == client_id. For now we'll just allow any aud, especially as this is one endpoint.
+
+        auth.authentication(expected_aud=["*"])
         # always resolve the request tenant id based on the URL:
         auth.resolve_tenant_id_for_request()
         # make sure this request is for a tenant served by this authenticator
diff --git a/service/controllers.py b/service/controllers.py
@@ -10,6 +10,7 @@
 from openapi_core import openapi_request_validator
 from openapi_core.contrib.flask import FlaskOpenAPIRequest
 from jwcrypto import jwk
+import jwt
 import sqlalchemy
 import secrets
 import random
@@ -212,7 +213,6 @@ def _handle_userinfo_request(request, oidc=False):
     # note that the user info endpoint is more limited for custom oauth idp extensions in general because the
     # custom OAuth server may not provide a profile endpoint.
     custom_oa2_extension_type = tenant_configs_cache.get_custom_oa2_extension_type(tenant_id=tenant_id)
-
     ## token should maybe already have:
     # jti iss sub exp tapis/tenant_id tapis/token_type
     # tapis/delegation tapis/delegation_sub tapis/username
@@ -240,7 +240,17 @@ def _handle_userinfo_request(request, oidc=False):
             data_rights = get_user_data_rights(username)
             if data_rights:
                 userinfo["data_rights"] = " ".join(data_rights)
-        return jsonify(userinfo.serialize)
+
+        # return token + userinfo as return for bookstack OIDC userinfo call.
+        # bookstack at leasts needs sub claim.
+        try: 
+            token_dict = jwt.decode(g.x_tapis_token, options={"verify_signature": False})
+            newinfo = userinfo.serialize
+            newinfo.update(token_dict)
+        except Exception as e:
+            logger.debug(f"Error creating userinfo+token object: {e}, token: {g.x_tapis_token}")
+            raise errors.ResourceError("Error with token and userinfo objects.")
+        return jsonify(newinfo)
 
     return utils.ok(result=userinfo.serialize, msg="User profile retrieved successfully.")
 
