fix openid flow

zvonand · zvonand · commit 4b02f55d3b95 · 2025-09-04T12:57:46.000+02:00
diff --git a/src/Access/TokenAccessStorage.cpp b/src/Access/TokenAccessStorage.cpp
@@ -351,8 +351,8 @@ std::optional<AuthResult> TokenAccessStorage::authenticateImpl(
         // Even though token itself may be valid (especially in case of a jwt token), authentication has just failed.
         if (throw_if_user_not_exists)
             throwNotFound(AccessEntityType::USER, credentials.getUserName(), getStorageName());
-        else
-            return {};
+
+        return {};
     }
 
     std::shared_ptr<User> new_user;
diff --git a/src/Access/TokenProcessorsJWT.cpp b/src/Access/TokenProcessorsJWT.cpp
@@ -388,7 +388,7 @@ bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials)
     if (decoded_jwt.has_payload_claim(groups_claim))
         const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));
     else
-        LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {{ not found in token, no external roles will be mapped", processor_name, groups_claim);
+        LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);
 
     return true;
 }
diff --git a/src/Access/TokenProcessorsOpaque.cpp b/src/Access/TokenProcessorsOpaque.cpp
@@ -308,6 +308,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
         {
             auto decoded_token = jwt::decode(token);
             user_info_json = decoded_token.get_payload_json();
+            username = getValueByKey(user_info_json, username_claim);
 
             /// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.
             if (decoded_token.has_expires_at())
@@ -338,7 +339,8 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia
         LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to obtain user info", processor_name);
         return false;
     }
-    else if (username.empty())
+
+    if (username.empty())
     {
         LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to get username", processor_name);
         return false;

Original file line number	Diff line number	Diff line change
`@@ -388,7 +388,7 @@ bool JwksJwtProcessor::resolveAndValidate(const TokenCredentials & credentials)`
`388`	`388`	`if (decoded_jwt.has_payload_claim(groups_claim))`
`389`	`389`	`const_cast<TokenCredentials &>(credentials).setGroups(parseGroupsFromJsonArray(decoded_jwt.get_payload_claim(groups_claim).as_array()));`
`390`	`390`	`else`
`391`		`- LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {{ not found in token, no external roles will be mapped", processor_name, groups_claim);`
	`391`	`+ LOG_TRACE(getLogger("TokenAuthentication"), "{}: Specified groups_claim {} not found in token, no external roles will be mapped", processor_name, groups_claim);`
`392`	`392`
`393`	`393`	`return true;`
`394`	`394`	`}`
Original file line number	Diff line number	Diff line change
`@@ -308,6 +308,7 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`308`	`308`	`{`
`309`	`309`	`auto decoded_token = jwt::decode(token);`
`310`	`310`	`user_info_json = decoded_token.get_payload_json();`
	`311`	`+ username = getValueByKey(user_info_json, username_claim);`
`311`	`312`
`312`	`313`	`/// TODO: Now we work only with Keycloak -- and it provides expires_at in token itself. Need to add actual token introspection logic for other OIDC providers.`
`313`	`314`	`if (decoded_token.has_expires_at())`
`@@ -338,7 +339,8 @@ bool OpenIdTokenProcessor::resolveAndValidate(const TokenCredentials & credentia`
`338`	`339`	`LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to obtain user info", processor_name);`
`339`	`340`	`return false;`
`340`	`341`	`}`
`341`		`- else if (username.empty())`
	`342`	`+`
	`343`	`+ if (username.empty())`
`342`	`344`	`{`
`343`	`345`	`LOG_TRACE(getLogger("TokenAuthentication"), "{}: Failed to get username", processor_name);`
`344`	`346`	`return false;`