Fix OIDC login failure due to missing nonce parameter in ID token parsing

The OIDC callback was failing because parse_id_token() was called without the required 'nonce' parameter, causing authentication to fail with a TypeError. This prevented the issuer (iss) claim from being extracted, which is required for successful OIDC login. Changes: - Check if ID token claims are already available in the token response under 'userinfo' key (parsed by Authlib during authorize_access_token) - If not available, retrieve nonce from session and pass it to parse_id_token() method - This ensures the issuer and subject claims are properly extracted from the ID token instead of only relying on the userinfo endpoint The issuer claim is only present in the ID token, not the userinfo endpoint, so proper ID token parsing is essential for authentication. Fixes #<issue_number>
2026-01-07 12:10:04 -06:00 · 2025-10-16 12:52:51 +02:00
parent 94e8e49439
commit c0e0fd2d17
1 changed files with 16 additions and 5 deletions
--- a/app/routes/auth.py
+++ b/app/routes/auth.py
@@ -244,13 +244,24 @@ def oidc_callback():
        id_token_parsed = False
        try:
            current_app.logger.info("OIDC callback: Attempting to parse ID token")
-            parsed = client.parse_id_token(token)
-            if parsed:
-                claims = parsed
+            # Authlib already validates and parses the ID token during authorize_access_token()
+            # The parsed claims should be available in the token dict under 'userinfo' key
+            if isinstance(token, dict) and 'userinfo' in token:
+                claims = token.get('userinfo', {})
                id_token_parsed = True
-                current_app.logger.info("OIDC callback: ID token parsed successfully, claims keys: %s", list(claims.keys()))
+                current_app.logger.info("OIDC callback: ID token claims available from token, claims keys: %s", list(claims.keys()))
            else:
-                current_app.logger.warning("OIDC callback: parse_id_token returned None/empty")
+                # If not available, parse it manually with nonce from session
+                # Authlib stores the nonce in session during authorize_redirect()
+                nonce = session.get('_oidc_authlib_nonce_')
+                current_app.logger.debug("OIDC callback: Nonce from session: %s", 'present' if nonce else 'missing')
+                parsed = client.parse_id_token(token, nonce=nonce)
+                if parsed:
+                    claims = parsed
+                    id_token_parsed = True
+                    current_app.logger.info("OIDC callback: ID token parsed successfully, claims keys: %s", list(claims.keys()))
+                else:
+                    current_app.logger.warning("OIDC callback: parse_id_token returned None/empty")
        except Exception as e:
            current_app.logger.error("OIDC callback: Failed to parse ID token: %s - %s", type(e).__name__, str(e))
            # Try to decode the token manually to debug