Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure B2C v2 authentication via generic OIDC back-end produces "KeyError 'access_token'" on page accounts/complete/oidc #7911

Closed
2 tasks done
svdHero opened this issue Jul 21, 2022 · 6 comments
Closed
2 tasks done

Azure B2C v2 authentication via generic OIDC back-end produces "KeyError 'access_token'" on page accounts/complete/oidc #7911

svdHero opened this issue Jul 21, 2022 · 6 comments
Labels
wontfix Nobody will work on this.

Comments

@svdHero
Copy link

svdHero commented Jul 21, 2022

Describe the issue

I am using Azure B2C for Weblate authentication via OpenID Connect. I've set the environment variable WEBLATE_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT to the value https://my-company-auth.b2clogin.com/my-company-auth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0.

When I click on the Oidc button on the Weblate login page https://weblate.mycompany.com/accounts/login/, I am redirect to Azure B2C and I see the correct policy login page. I can also log in successfully and I am redirected to https://weblate.mycompany.com/accounts/complete/oidc/.

But then I see the following Django error message:

KeyError at /accounts/complete/oidc/
'access_token'
Request Method: GET
Request URL: https://weblate.mycompany.com/accounts/complete/oidc/?state=pOrucHH1HBEY...
Django Version: 4.0.6
Exception Type: KeyError
Exception Value:
'access_token'
Exception Location: /usr/local/lib/python3.10/site-packages/social_core/backends/open_id_connect.py, line 234, in request_access_token
Python Executable: /usr/local/bin/python
Python Version: 3.10.5
Python Path:
['/',
'/usr/local/lib/python3.10/site-packages/git/ext/gitdb',
'/',
'/usr/local/bin',
'/usr/local/lib/python310.zip',
'/usr/local/lib/python3.10',
'/usr/local/lib/python3.10/lib-dynload',
'/usr/local/lib/python3.10/site-packages',
'/app/data/python',
'/usr/local/lib/python3.10/site-packages/gitdb/ext/smmap']
Server time: Thu, 21 Jul 2022 11:42:04 +0000

I already tried

  • I've read and searched the documentation.
  • I've searched for similar issues in this repository.

Steps to reproduce the behavior

  1. Setup Azure B2C as identity provider
  2. Configure Weblate authentication for OpenID Connect by setting these environment variables.
  3. Go to Weblates Login-Page https://weblate.mycompany.com/accounts/login/ and click on the button "Oidc".
  4. Log in via the Azure B2C login page.
  5. Wait until the Weblate redirect uri https://weblate.mycompany.com/accounts/complete/oidc/ is loaded.
  6. Read the Django error message.

Expected behavior

No Django error after login.

Screenshots

No response

Exception traceback

No response

How do you run Weblate?

Docker container

Weblate versions

4.13.1

Weblate deploy checks

No response

Additional context

According to the error message, the problem seems to be here:
https://github.com/python-social-auth/social-core/blob/3d818d67f4969b99a09880f6a6fcf4bf187bdb28/social_core/backends/open_id_connect.py#L234
and the code expects to find the field access_token in the http response from the Azure B2C OIDC.

If that helps, the response from https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration looks like this:

{
  "issuer": "https://mycompanyauth.b2clogin.com/32754e0f-75ef-4654-9eae-779b00b83c55/v2.0/",
  "authorization_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/authorize",
  "token_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/token",
  "end_session_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/logout",
  "jwks_uri": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/discovery/v2.0/keys",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "code token",
    "code id_token token",
    "id_token",
    "id_token token",
    "token",
    "token id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "email",
    "upn",
    "oid",
    "idp",
    "tid",
    "roles",
    "isForgotPassword",
    "postalCode",
    "state",
    "country",
    "iss",
    "iat",
    "exp",
    "aud",
    "acr",
    "nonce",
    "auth_time"
  ]
}

Please let me know, if I can provide any further information that might help.
@svdHero svdHero mentioned this issue Jul 21, 2022
Closed
2 tasks
@svdHero
Copy link
Author

svdHero commented Jul 21, 2022

Further browser debugging shows, that Weblate issued a request to
https://login.microsoftonline.com/0eca7f40-e581-4860-a149-172d3a66a43b/oauth2/v2.0/authorize?client_id=e60c2871-629b-4c40-8dd2-a8418ab7ce8d&redirect_uri=https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/oauth2/authresp&response_type=code&scope=openid+profile&response_mode=form_post&nonce=g78JTkGi8YBTeaGbHjgNlg==&state=StateProperties=eyJTSUQiOiJ4LW1zLWNwaW0tcmM6NWQ5YTNkZmQtZDkwZC00MGJlLTkxYWUtYjdjZmFhMjZjYzc0IiwiVElEIjoiZGJhNTFmODAtZGM5Yi00MzVjLTg2ZTctZDQ5NTQ3MjBkNTFmIiwiVE9JRCI6IjMyNzU0ZTBmLTc1ZWYtNDY1NC05ZWFlLTc3OWIwMGI4M2M1NSJ9

Note the request query parameter response_type which is set to code. So the response probably should not not have a field access_token anyway, as far as my basic OIDC / OAuth knowledge goes.

@nijel
Copy link
Member

nijel commented Jul 22, 2022

Maybe python-social-auth/social-core#459 is related? Anyway, this is better to discuss at python-social-auth as it's not really Weblate specific issue...

@svdHero
Copy link
Author

svdHero commented Jul 22, 2022
edited
Loading

Maybe. Other enterprise apps that we are using in my company,all make the requests to endpoints under https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/ and they work. We do not use login.microsoftonline.com anywhere.

But then again: If I change the response_type from code to id_token and send the request the response from the endpoint looks fine.

What are you suggesting? Should I open another issue in https://github.com/python-social-auth/social-core/issues or should I just comment on the linked PR? What would you guys prefer?

@nijel
Copy link
Member

nijel commented Jul 25, 2022

If you can test the PR and provide feedback, we can probably merge it there.

@nijel nijel added the wontfix Nobody will work on this. label Jul 25, 2022
@nijel
Copy link
Member

nijel commented Jul 25, 2022

Anyway closing it here as the issue is in social auth and not in Weblate itself.

@nijel nijel closed this as completed Jul 25, 2022
@svdHero
Copy link
Author

svdHero commented Jul 25, 2022

@nijel I had a look at the code changes in the PR. They do not seem to be related to my problem. I will both open a new issue in social auth and try to test the PR. I am very eager to make make Weblate work with Azure B2C.

@svdHero svdHero mentioned this issue Aug 1, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix Nobody will work on this.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nijel @svdHero