Have external login always make an API request to get the authorization URL

This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.

oauth/base.py

@@ -1,4 +1,7 @@
 import logging
+import urllib
+
+from util import get_app_url
 
 logger = logging.getLogger(__name__)
 
@@ -10,7 +13,6 @@ class OAuthGetUserInfoException(Exception):
   """ Exception raised if a call to get user information fails. """
   pass
 
-
 class OAuthService(object):
   """ A base class for defining an external service, exposed via OAuth. """
   def __init__(self, config, key_name):
@@ -38,6 +40,10 @@ class OAuthService(object):
     """ Performs validation of the client ID and secret, raising an exception on failure. """
     raise NotImplementedError
 
+  def authorize_endpoint(self):
+    """ Endpoint for authorization. """
+    raise NotImplementedError
+
   def requires_form_encoding(self):
     """ Returns True if form encoding is necessary for the exchange_code_for_token call. """
     return False
@@ -48,6 +54,20 @@ class OAuthService(object):
   def client_secret(self):
     return self.config.get('CLIENT_SECRET')
 
+  def get_auth_url(self, app_config, redirect_suffix, csrf_token, scopes):
+    """ Retrieves the authorization URL for this login service. """
+    redirect_uri = '%s/oauth2/%s/callback%s' % (get_app_url(app_config), self.service_id(),
+                                                redirect_suffix)
+    params = {
+      'client_id': self.client_id(),
+      'redirect_uri': redirect_uri,
+      'scope': ' '.join(scopes),
+      'state': csrf_token,
+    }
+
+    authorize_url = '%s%s' % (self.authorize_endpoint(), urllib.urlencode(params))
+    return authorize_url
+
   def get_redirect_uri(self, app_config, redirect_suffix=''):
     return '%s://%s/oauth2/%s/callback%s' % (app_config['PREFERRED_URL_SCHEME'],
                                              app_config['SERVER_HOSTNAME'],

oauth/loginmanager.py

@@ -22,3 +22,10 @@ class OAuthLoginManager(object):
             self.services.append(custom_service)
         else:
           self.services.append(OIDCLoginService(config, key))
+
+  def get_service(self, service_id):
+    for service in self.services:
+      if service.service_id() == service_id:
+        return service
+
+    return None

oauth/oidc.py

@@ -14,7 +14,6 @@ from jwkest.jwk import KEYS
 from oauth.base import OAuthService, OAuthExchangeCodeException, OAuthGetUserInfoException
 from oauth.login import OAuthLoginException
 from util.security.jwtutil import decode, InvalidTokenError
-from util import get_app_url
 
 logger = logging.getLogger(__name__)
 
@@ -28,7 +27,6 @@ class DiscoveryFailureException(Exception):
   """ Exception raised when OIDC discovery fails. """
   pass
 
-
 class PublicKeyLoadException(Exception):
   """ Exception raised if loading the OIDC public key fails. """
   pass
@@ -75,14 +73,7 @@ class OIDCLoginService(OAuthService):
 
   def validate_client_id_and_secret(self, http_client, app_config):
     # TODO: find a way to verify client secret too.
-    redirect_url = '%s/oauth2/%s/callback' % (get_app_url(app_config), self.service_id())
-    scopes_string = ' '.join(self.get_login_scopes())
-    authorize_url = '%sclient_id=%s&redirect_uri=%s&scope=%s' % (self.authorize_endpoint(),
-                                                                 self.client_id(),
-                                                                 redirect_url,
-                                                                 scopes_string)
-
-    check_auth_url = http_client.get(authorize_url)
+    check_auth_url = http_client.get(self.get_auth_url())
     if check_auth_url.status_code // 100 != 2:
       raise Exception('Got non-200 status code for authorization endpoint')