JWT key fixes

GitTimeraider · web-flow · commit e991d3e0bc02 · 2025-11-14T13:50:25.000+01:00
diff --git a/app/routes.py b/app/routes.py
@@ -1037,8 +1037,45 @@ def oidc_callback():
                 client_kwargs=client_kwargs
             )
         
-        # Get the token
-        token = oidc_client.authorize_access_token()
+        # Exchange authorization code for tokens manually to avoid JWT validation issues
+        try:
+            import requests
+            
+            # Get authorization code from callback
+            code = request.args.get('code')
+            if not code:
+                flash('No authorization code received.', 'error')
+                return redirect(url_for('main.login'))
+            
+            # Exchange code for token
+            token_response = requests.post(
+                oidc_config.token_endpoint,
+                data={
+                    'grant_type': 'authorization_code',
+                    'code': code,
+                    'redirect_uri': url_for('main.oidc_callback', _external=True),
+                    'client_id': oidc_config.client_id,
+                    'client_secret': oidc_config.client_secret
+                },
+                timeout=10
+            )
+            
+            if token_response.status_code != 200:
+                current_app.logger.error(f"Token endpoint returned {token_response.status_code}: {token_response.text}")
+                flash('Failed to obtain access token from identity provider.', 'error')
+                return redirect(url_for('main.login'))
+            
+            token = token_response.json()
+            access_token = token.get('access_token')
+            
+            if not access_token:
+                flash('No access token received from identity provider.', 'error')
+                return redirect(url_for('main.login'))
+        
+        except Exception as token_error:
+            current_app.logger.error(f"Token exchange failed: {token_error}")
+            flash(f'An error occurred during login: {str(token_error)}', 'error')
+            return redirect(url_for('main.login'))
         
         # Parse the ID token to get user info - skip JWT validation for manual endpoints
         user_info = token.get('userinfo')
@@ -1066,8 +1103,6 @@ def oidc_callback():
             # If still no user_info, try fetching from userinfo endpoint
             if not user_info:
                 try:
-                    import requests
-                    access_token = token.get('access_token')
                     if access_token and oidc_config.userinfo_endpoint:
                         response = requests.get(
                             oidc_config.userinfo_endpoint,
