Have external login always make an API request to get the authorization URL

This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.
2017-01-23 19:06:19 -05:00 · 2017-01-23 19:06:19 -05:00 · a9791ea419
commit a9791ea419
parent fda203e4d7
9 changed files with 128 additions and 49 deletions
--- a/oauth/oidc.py
+++ b/oauth/oidc.py
@ -14,7 +14,6 @@ from jwkest.jwk import KEYS
 from oauth.base import OAuthService, OAuthExchangeCodeException, OAuthGetUserInfoException
 from oauth.login import OAuthLoginException
 from util.security.jwtutil import decode, InvalidTokenError
-from util import get_app_url

 logger = logging.getLogger(__name__)

@ -28,7 +27,6 @@ class DiscoveryFailureException(Exception):
  """ Exception raised when OIDC discovery fails. """
  pass

-
 class PublicKeyLoadException(Exception):
  """ Exception raised if loading the OIDC public key fails. """
  pass
@ -75,14 +73,7 @@ class OIDCLoginService(OAuthService):

  def validate_client_id_and_secret(self, http_client, app_config):
    # TODO: find a way to verify client secret too.
-    redirect_url = '%s/oauth2/%s/callback' % (get_app_url(app_config), self.service_id())
-    scopes_string = ' '.join(self.get_login_scopes())
-    authorize_url = '%sclient_id=%s&redirect_uri=%s&scope=%s' % (self.authorize_endpoint(),
-                                                                 self.client_id(),
-                                                                 redirect_url,
-                                                                 scopes_string)
-
-    check_auth_url = http_client.get(authorize_url)
+    check_auth_url = http_client.get(self.get_auth_url())
    if check_auth_url.status_code // 100 != 2:
      raise Exception('Got non-200 status code for authorization endpoint')