Duplicate call to handle_provider_config causing duplicate keys being loaded in keyjar
Closed this issue · 3 comments
I encountered a problem where the public keys are loaded twice in the keyjar, causing problems during token validation. I can trace it back to these two calls in the PyoidcFacade: https://github.com/zamzterz/Flask-pyoidc/blob/main/src/flask_pyoidc/pyoidc_facade.py#L41-L42
provider_metadata = provider_configuration.ensure_provider_metadata(self._client)
self._client.handle_provider_config(ProviderConfigurationResponse(**provider_metadata.to_dict()),
provider_metadata['issuer'])
In the first call to ensure_provider_metadata, a call to handle_provider_config on the client is already made. So why is it necessary to make another call to handle_provider_config? The extra call results in keys being added to the keyjar again. My problem seems to be resolved when I remove the second call to handle_provider_config without causing any other problems as far as I can see now.
If you use Dynamic Provider Registration to discover the IdP's endpoints, then only it calls handle_provider_config.
Flask-pyoidc/src/flask_pyoidc/provider_configuration.py
Lines 177 to 184 in 7e0cded
The if branch here becomes true if dynamic discovery has to be made to register the IdP's endpoints. For Static Provider Registration, the if condition becomes false, so handle_provider_config has to be called explicitly to register it.
This was the reason behind this call, however I have reproduced the bug. handle_provider_config is being called twice during Dynamic Provider Registration which is appending the oic.utils.keyio.KeyBundle instance to the keyjar at this line:
try:
self.issuer_keys[issuer].append(kc)
except KeyError:
self.issuer_keys[issuer] = [kc]
return kcI will raise PR to address it.
Thanks for the explanation. Now it makes sense to me why the extra call is made. I can also confirm that the issue is resolved on my side once I tried it with your fix in the linked PR.