fix: 🐛 fix authentication by adding audience in jwt decode

dnum-mi · Oct 4, 2024 · 661fc98 · 661fc98
1 parent 6594eb4
commit 661fc98
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 11 deletions.
diff --git a/.github/workflows/main-ci.yml b/.github/workflows/main-ci.yml
@@ -78,6 +78,7 @@ jobs:
         OIDC_CONFIG_URL: https://token.actions.githubusercontent.com/.well-known/openid-configuration
         OIDC_JWKS_URL: https://token.actions.githubusercontent.com/.well-known/jwks
         OIDC_JWKS_KID: cc413527-173f-5a05-976e-9c52b1d7b431
+        OIDC_CLIENT_ID: basegun
     steps:
       - run: cd /app && pytest
     services:

diff --git a/backend/src/config.py b/backend/src/config.py
@@ -1,4 +1,4 @@
-import logging
+import logging.config
 import os
 import ssl
 from datetime import datetime
@@ -13,6 +13,7 @@
 CURRENT_DIR = os.path.dirname(os.path.abspath(__file__))
 
 PATH_LOGS = os.environ.get("PATH_LOGS", "/tmp/logs")
+os.makedirs(PATH_LOGS, exist_ok=True)
 
 LOGS_CONFIG = {
     "version": 1,
@@ -133,6 +134,7 @@ def get_base_logs(user_agent, user_id: str) -> dict:
 SMTPClient = SMTP(os.environ["EMAIL_HOST"], os.environ["EMAIL_PORT"])
 
 # Authentication
+OIDC_CLIENT_ID = os.environ["OIDC_CLIENT_ID"]
 
 # Avoid SSL to retrieve JWKs
 ctx = ssl.create_default_context()

diff --git a/backend/src/main.py b/backend/src/main.py
@@ -1,9 +1,7 @@
-import os
-
 from fastapi import FastAPI, Request
 from fastapi.middleware.cors import CORSMiddleware
 
-from .config import HEADERS, PATH_LOGS
+from .config import HEADERS
 from .router import router
 
 app = FastAPI(docs_url="/api/docs")
@@ -25,7 +23,4 @@ async def add_owasp_middleware(request: Request, call_next):
     return response
 
 
-# Logs
-os.makedirs(PATH_LOGS, exist_ok=True)
-
 app.include_router(router)
diff --git a/backend/src/utils.py b/backend/src/utils.py
@@ -7,7 +7,7 @@
 import jwt
 from fastapi import Depends, HTTPException, status
 
-from src.config import SMTPClient
+from src.config import OIDC_CLIENT_ID, SMTPClient
 
 from .config import OAUTH2_SCHEME, PUBLIC_KEY, S3, S3_BUCKET_NAME
 
@@ -56,6 +56,7 @@ async def get_current_user(token: Annotated[str, Depends(OAUTH2_SCHEME)]):
         return jwt.decode(
             token.split()[1],
             PUBLIC_KEY,
+            audience=OIDC_CLIENT_ID,
             algorithms=["RS256"],
         )
     except jwt.InvalidTokenError as exception:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -16,6 +16,7 @@ services:
       - OIDC_CONFIG_URL=http://localhost:8080/realms/basegun/.well-known/openid-configuration
       - OIDC_JWKS_URL=http://keycloak:8080/realms/basegun/protocol/openid-connect/certs
       - OIDC_JWKS_KID=basegun
+      - OIDC_CLIENT_ID=basegun
       - IRCGN_PHONE=00 00 00 00 00
       - IRCGN_CELLPHONE=00 00 00 00 00
       - [email protected]
@@ -44,7 +45,7 @@ services:
     ports:
       - 9000:9000
       - 9001:9001
-  
+
   # Mock Passage2 OIDC
   keycloak:
     build:
@@ -65,4 +66,4 @@ services:
       - 1025:1025
     environment:
       MP_SMTP_AUTH_ACCEPT_ANY: 1
-      MP_SMTP_AUTH_ALLOW_INSECURE: 1
+      MP_SMTP_AUTH_ALLOW_INSECURE: 1
diff --git a/keycloak/realm-export.json b/keycloak/realm-export.json
@@ -634,6 +634,7 @@
       "defaultClientScopes": [
         "web-origins",
         "acr",
+        "audience",
         "roles",
         "profile",
         "basic",
@@ -954,6 +955,35 @@
         }
       ]
     },
+    {
+      "id": "6960d0f3-b9fa-4112-a46a-76362d3d72df",
+      "name": "audience",
+      "description": "",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "true",
+        "gui.order": "",
+        "consent.screen.text": ""
+      },
+      "protocolMappers": [
+        {
+          "id": "51ee432e-3e4b-466a-ab68-153056829eea",
+          "name": "audience",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-mapper",
+          "consentRequired": false,
+          "config": {
+            "id.token.claim": "true",
+            "lightweight.claim": "false",
+            "introspection.token.claim": "true",
+            "access.token.claim": "true",
+            "included.custom.audience": "basegun",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ]
+    },
     {
       "id": "73441c05-4093-4268-9547-b86b682de155",
       "name": "phone",
@@ -1443,7 +1473,8 @@
     "offline_access",
     "address",
     "phone",
-    "microprofile-jwt"
+    "microprofile-jwt",
+    "audience"
   ],
   "browserSecurityHeaders": {
     "contentSecurityPolicyReportOnly": "",