Azure B2C v2 authentication via generic OIDC back-end produces "KeyError 'access_token'" on page accounts/complete/oidc
Closed this issue · 6 comments
Describe the issue
I am using Azure B2C for Weblate authentication via OpenID Connect. I've set the environment variable WEBLATE_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT to the value https://my-company-auth.b2clogin.com/my-company-auth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0.
When I click on the Oidc button on the Weblate login page https://weblate.mycompany.com/accounts/login/, I am redirect to Azure B2C and I see the correct policy login page. I can also log in successfully and I am redirected to https://weblate.mycompany.com/accounts/complete/oidc/.
But then I see the following Django error message:
KeyError at /accounts/complete/oidc/
'access_token'
Request Method: GET
Request URL: https://weblate.mycompany.com/accounts/complete/oidc/?state=pOrucHH1HBEY...
Django Version: 4.0.6
Exception Type: KeyError
Exception Value:
'access_token'
Exception Location: /usr/local/lib/python3.10/site-packages/social_core/backends/open_id_connect.py, line 234, in request_access_token
Python Executable: /usr/local/bin/python
Python Version: 3.10.5
Python Path:
['/',
'/usr/local/lib/python3.10/site-packages/git/ext/gitdb',
'/',
'/usr/local/bin',
'/usr/local/lib/python310.zip',
'/usr/local/lib/python3.10',
'/usr/local/lib/python3.10/lib-dynload',
'/usr/local/lib/python3.10/site-packages',
'/app/data/python',
'/usr/local/lib/python3.10/site-packages/gitdb/ext/smmap']
Server time: Thu, 21 Jul 2022 11:42:04 +0000
I already tried
- I've read and searched the documentation.
- I've searched for similar issues in this repository.
Steps to reproduce the behavior
- Setup Azure B2C as identity provider
- Configure Weblate authentication for OpenID Connect by setting these environment variables.
- Go to Weblates Login-Page
https://weblate.mycompany.com/accounts/login/and click on the button "Oidc". - Log in via the Azure B2C login page.
- Wait until the Weblate redirect uri
https://weblate.mycompany.com/accounts/complete/oidc/is loaded. - Read the Django error message.
Expected behavior
No Django error after login.
Screenshots
No response
Exception traceback
No response
How do you run Weblate?
Docker container
Weblate versions
4.13.1
Weblate deploy checks
No response
Additional context
According to the error message, the problem seems to be here:
https://github.com/python-social-auth/social-core/blob/3d818d67f4969b99a09880f6a6fcf4bf187bdb28/social_core/backends/open_id_connect.py#L234
and the code expects to find the field access_token in the http response from the Azure B2C OIDC.
If that helps, the response from https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration looks like this:
{
"issuer": "https://mycompanyauth.b2clogin.com/32754e0f-75ef-4654-9eae-779b00b83c55/v2.0/",
"authorization_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/authorize",
"token_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/token",
"end_session_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/logout",
"jwks_uri": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/discovery/v2.0/keys",
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"code id_token",
"code token",
"code id_token token",
"id_token",
"id_token token",
"token",
"token id_token"
],
"scopes_supported": [
"openid"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"name",
"given_name",
"family_name",
"email",
"upn",
"oid",
"idp",
"tid",
"roles",
"isForgotPassword",
"postalCode",
"state",
"country",
"iss",
"iat",
"exp",
"aud",
"acr",
"nonce",
"auth_time"
]
}
Please let me know, if I can provide any further information that might help.
Further browser debugging shows, that Weblate issued a request to
https://login.microsoftonline.com/0eca7f40-e581-4860-a149-172d3a66a43b/oauth2/v2.0/authorize?client_id=e60c2871-629b-4c40-8dd2-a8418ab7ce8d&redirect_uri=https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/oauth2/authresp&response_type=code&scope=openid+profile&response_mode=form_post&nonce=g78JTkGi8YBTeaGbHjgNlg==&state=StateProperties=eyJTSUQiOiJ4LW1zLWNwaW0tcmM6NWQ5YTNkZmQtZDkwZC00MGJlLTkxYWUtYjdjZmFhMjZjYzc0IiwiVElEIjoiZGJhNTFmODAtZGM5Yi00MzVjLTg2ZTctZDQ5NTQ3MjBkNTFmIiwiVE9JRCI6IjMyNzU0ZTBmLTc1ZWYtNDY1NC05ZWFlLTc3OWIwMGI4M2M1NSJ9
Note the request query parameter response_type which is set to code. So the response probably should not not have a field access_token anyway, as far as my basic OIDC / OAuth knowledge goes.
Maybe python-social-auth/social-core#459 is related? Anyway, this is better to discuss at python-social-auth as it's not really Weblate specific issue...
Maybe. Other enterprise apps that we are using in my company,all make the requests to endpoints under https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/ and they work. We do not use login.microsoftonline.com anywhere.
But then again: If I change the response_type from code to id_token and send the request the response from the endpoint looks fine.
What are you suggesting? Should I open another issue in https://github.com/python-social-auth/social-core/issues or should I just comment on the linked PR? What would you guys prefer?
If you can test the PR and provide feedback, we can probably merge it there.
Anyway closing it here as the issue is in social auth and not in Weblate itself.