auth_oidc: ignore missing kid when comparing keysets (#87468)

2024-02-26 15:35:37 +01:00 · 2024-02-26 15:35:37 +01:00 · f9d07d749a
parent 7d6601c870
commit f9d07d749a
2 changed files with 14 additions and 8 deletions
--- a/src/authentic2_auth_oidc/models.py
+++ b/src/authentic2_auth_oidc/models.py
@ -283,16 +283,17 @@ class OIDCProvider(BaseAuthenticator):
            self.save(update_fields=['jwkset_json', 'modified'])

    def log_jwkset_change(self, old_jwkset, new_jwkset):
-        if old_jwkset == new_jwkset:
+        old_kids = {kid for key in (old_jwkset or dict()).get('keys', []) if (kid := key.get('kid'))}
+        new_kids = {kid for key in new_jwkset.get('keys', []) if (kid := key.get('kid'))}
+
+        if old_kids == new_kids:
            return

-        old_keyset = {key.get('kid') for key in (old_jwkset or dict()).get('keys', [])}
-        new_keyset = {key.get('kid') for key in new_jwkset.get('keys', [])}
        journal.record(
            'provider.keyset.change',
            provider=self.name,
-            new_keyset=new_keyset,
-            old_keyset=old_keyset,
+            new_keyset=new_kids,
+            old_keyset=old_kids,
        )

    def authorization_claims_parameter(self):
--- a/tests/auth_oidc/test_commands.py
+++ b/tests/auth_oidc/test_commands.py
@ -217,7 +217,12 @@ def test_auth_oidc_refresh_jwkset_json(db, app, admin, settings, caplog):
        jwkset = JWKSet()
        jwkset.add(key_rsa)
        jwkset.add(key_ec)
-        return jwkset.export(as_dict=True)
+        d = jwkset.export(as_dict=True)
+        # add extra key without kid to check it is just ignored by change logging
+        other_key = JWK.generate(kty='EC', size=256).export(as_dict=True)
+        other_key.pop('kid', None)
+        d['keys'].append(other_key)
+        return d

    responses.get(
        jwkset_url,
@ -251,7 +256,7 @@ def test_auth_oidc_refresh_jwkset_json(db, app, admin, settings, caplog):
    )
    provider.clean()
    provider.save()
-    assert {key['kid'] for key in provider.jwkset_json['keys']} == {'123', '456'}
+    assert {key.get('kid') for key in provider.jwkset_json['keys']} == {'123', '456', None}

    kid_rsa = 'abcdefg'
    kid_ec = 'hijklmn'
@ -270,4 +275,4 @@ def test_auth_oidc_refresh_jwkset_json(db, app, admin, settings, caplog):

    call_command('oidc-refresh-jwkset-json', '-v1')
    provider.refresh_from_db()
-    assert {key['kid'] for key in provider.jwkset_json['keys']} == {'abcdefg', 'hijklmn'}
+    assert {key.get('kid') for key in provider.jwkset_json['keys']} == {'abcdefg', 'hijklmn', None}