Oauth2 not working - token seems correct (9.0.13 pro)

Been using oauth2 for quite a while without problems, but I spun-up a new deployment and now cannot get it to work. Maybe I just need another set of eyes, because this is not making any sense to me.

Here’s the seahub.log report when trying to login via oauth2:

2023-01-04 05:57:53,354 [INFO] seahub.oauth.views:156 format_user_info user info resp: {"aud":["fbce1a55-be90-492c-ad11-36799b73f5b3"],"auth_time":1672837071,"contact_email":"dummy@example.com","email":"dummy@example.com","iat":1672837071,"iss":"https://oauth.id.jumpcloud.com/","name":"Admin Administrator","rat":1672837070,"sub":"63b484e35f1ec035a541636a"}

2023-01-04 05:57:53,355 [ERROR] seahub.oauth.views:179 oauth_callback Required user info not found.
2023-01-04 05:57:53,355 [ERROR] seahub.oauth.views:180 oauth_callback {'contact_email': 'dummy@example.com', 'email': 'dummy@example.com', 'name': 'Admin Administrator'}

Seems that it is receiving the the token and then parsing the fields correctly. It is recognizing fields perfectly, apparently, but still complaining that the “Required user info is not found.” I assume this means ‘email’ but it clearly found it…

Here’s my attribute map in seahub_settings.py:

OAUTH_ATTRIBUTE_MAP = {
    "contact_email": (False, "contact_email"),
    "email": (True, "email"),
    "name": (False, "name")
}

Am I missing something? Any help or thoughts appreciated!

I’ll answer my own question for the benefit of anyone else searching:

Maybe I didn’t read carefully enough or perhaps the manual is just really unclear on this point…
TL;DR: The ‘id’ claim is automatically treated as required so you have to override this if you’re not using it!

In my case, I configured my token to send back only what I thought I needed - email, name and contact_email. Note that this token does not include an id. There are, therefore, two solutions:

Option 1:
Add an id claim. You don’t have to use it or even mention it in your ATTRIBUTE_MAP, but it must be present in the token.

OR

Option 2:
Explicitly ignore the id claim in your ATTRIBUTE_MAP. So, it’ll look like this:

OAUTH_ATTRIBUTE_MAP = {
    "contact_email": (False, "contact_email),
    "email": (True, "email),
    "id": (False, "not used"),
    "name": (False, "name")
}

If you choose Option 2, you do not require an id claim in your token at all.

Hope this helps anyone else running into this poorly worded error.

1 Like