Skip to content

Commit 153e02e

Browse files
GitTimeraiderGitTimeraider
authored
OIDC fixes
1 parent fee1355 commit 153e02e

File tree

1 file changed

+88
-19
lines changed

1 file changed

+88
-19
lines changed

app/routes.py

Lines changed: 88 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -863,7 +863,10 @@ def oidc_settings():
863863
oidc_config.display_name = form.display_name.data
864864
oidc_config.client_id = form.client_id.data
865865
oidc_config.client_secret = form.client_secret.data
866-
oidc_config.discovery_endpoint = form.discovery_endpoint.data
866+
oidc_config.discovery_endpoint = form.discovery_endpoint.data or None
867+
oidc_config.authorization_endpoint = form.authorization_endpoint.data or None
868+
oidc_config.token_endpoint = form.token_endpoint.data or None
869+
oidc_config.userinfo_endpoint = form.userinfo_endpoint.data or None
867870
oidc_config.user_mapping_field = form.user_mapping_field.data
868871
oidc_config.custom_attribute = form.custom_attribute.data if form.user_mapping_field.data == 'custom' else None
869872
oidc_config.is_enabled = form.is_enabled.data
@@ -902,15 +905,50 @@ def oidc_login():
902905
oauth = OAuth(current_app)
903906

904907
# Register the OIDC client
905-
oidc_client = oauth.register(
906-
name='oidc',
907-
client_id=oidc_config.client_id,
908-
client_secret=oidc_config.client_secret,
909-
server_metadata_url=oidc_config.discovery_endpoint,
910-
client_kwargs={
911-
'scope': 'openid profile email'
912-
}
913-
)
908+
client_kwargs = {'scope': 'openid profile email'}
909+
910+
# Check if using discovery or manual endpoints
911+
if oidc_config.discovery_endpoint:
912+
# Use discovery endpoint
913+
try:
914+
oidc_client = oauth.register(
915+
name='oidc',
916+
client_id=oidc_config.client_id,
917+
client_secret=oidc_config.client_secret,
918+
server_metadata_url=oidc_config.discovery_endpoint,
919+
client_kwargs=client_kwargs
920+
)
921+
except Exception as discovery_error:
922+
current_app.logger.warning(f"Discovery endpoint failed: {discovery_error}. Falling back to manual endpoints if available.")
923+
# If discovery fails, try manual endpoints
924+
if oidc_config.authorization_endpoint and oidc_config.token_endpoint:
925+
oidc_client = oauth.register(
926+
name='oidc',
927+
client_id=oidc_config.client_id,
928+
client_secret=oidc_config.client_secret,
929+
authorize_url=oidc_config.authorization_endpoint,
930+
access_token_url=oidc_config.token_endpoint,
931+
userinfo_endpoint=oidc_config.userinfo_endpoint,
932+
client_kwargs=client_kwargs
933+
)
934+
session['oidc_use_manual'] = True
935+
else:
936+
raise
937+
elif oidc_config.authorization_endpoint and oidc_config.token_endpoint:
938+
# Use manual endpoints (no discovery)
939+
oidc_client = oauth.register(
940+
name='oidc',
941+
client_id=oidc_config.client_id,
942+
client_secret=oidc_config.client_secret,
943+
authorize_url=oidc_config.authorization_endpoint,
944+
access_token_url=oidc_config.token_endpoint,
945+
userinfo_endpoint=oidc_config.userinfo_endpoint,
946+
client_kwargs=client_kwargs
947+
)
948+
session['oidc_use_manual'] = True
949+
else:
950+
flash('OIDC configuration incomplete. Please configure either discovery endpoint or manual endpoints.', 'error')
951+
return redirect(url_for('main.login'))
914952

915953
# Generate callback URL
916954
redirect_uri = url_for('main.oidc_callback', _external=True)
@@ -949,16 +987,47 @@ def oidc_callback():
949987
# Initialize OAuth
950988
oauth = OAuth(current_app)
951989

990+
# Get whether using manual endpoints
991+
use_manual = session.get('oidc_use_manual', False)
992+
952993
# Register the OIDC client (same as in login)
953-
oidc_client = oauth.register(
954-
name='oidc',
955-
client_id=oidc_config.client_id,
956-
client_secret=oidc_config.client_secret,
957-
server_metadata_url=oidc_config.discovery_endpoint,
958-
client_kwargs={
959-
'scope': 'openid profile email'
960-
}
961-
)
994+
client_kwargs = {'scope': 'openid profile email'}
995+
996+
if not use_manual and oidc_config.discovery_endpoint:
997+
# Try discovery endpoint
998+
try:
999+
oidc_client = oauth.register(
1000+
name='oidc',
1001+
client_id=oidc_config.client_id,
1002+
client_secret=oidc_config.client_secret,
1003+
server_metadata_url=oidc_config.discovery_endpoint,
1004+
client_kwargs=client_kwargs
1005+
)
1006+
except Exception:
1007+
# Fallback to manual if discovery fails
1008+
if oidc_config.authorization_endpoint and oidc_config.token_endpoint:
1009+
oidc_client = oauth.register(
1010+
name='oidc',
1011+
client_id=oidc_config.client_id,
1012+
client_secret=oidc_config.client_secret,
1013+
authorize_url=oidc_config.authorization_endpoint,
1014+
access_token_url=oidc_config.token_endpoint,
1015+
userinfo_endpoint=oidc_config.userinfo_endpoint,
1016+
client_kwargs=client_kwargs
1017+
)
1018+
else:
1019+
raise
1020+
else:
1021+
# Use manual endpoints
1022+
oidc_client = oauth.register(
1023+
name='oidc',
1024+
client_id=oidc_config.client_id,
1025+
client_secret=oidc_config.client_secret,
1026+
authorize_url=oidc_config.authorization_endpoint,
1027+
access_token_url=oidc_config.token_endpoint,
1028+
userinfo_endpoint=oidc_config.userinfo_endpoint,
1029+
client_kwargs=client_kwargs
1030+
)
9621031

9631032
# Get the token
9641033
token = oidc_client.authorize_access_token()

0 commit comments

Comments
 (0)