[IMP] auth_oidc: split validation in _auth_oauth_validate

OdyX · OdyX · commit bc39e7b2d6e5 · 2025-02-21T14:41:05.000+01:00
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
@@ -45,6 +45,45 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
         # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
         return response_json.get("access_token"), response_json.get("id_token")
 
+    @api.model
+    def _auth_oauth_validate(self, provider, id_token, access_token):
+        """
+        return the validation data corresponding to the access token
+        Mostly the same as auth_oauth ResUsers._auth_oauth_validate, minus the
+        validation_endpoint
+        """
+        oauth_provider = self.env["auth.oauth.provider"].browse(provider)
+
+        # Parse the token to get validation data
+        validation = oauth_provider._parse_id_token(id_token, access_token)
+
+        if oauth_provider.data_endpoint:
+            data = super()._auth_oauth_rpc(oauth_provider.data_endpoint, access_token)
+            validation.update(data)
+        # unify subject key, pop all possible and get most sensible. When this
+        # is reworked, BC should be dropped and only the `sub` key should be
+        # used (here, in _generate_signup_values, and in _auth_oauth_signin)
+        subject = next(
+            filter(
+                None,
+                [
+                    validation.pop(key, None)
+                    for key in [
+                        "sub",  # standard
+                        "id",  # google v1 userinfo, facebook opengraph
+                        "user_id",  # google tokeninfo, odoo (tokeninfo)
+                    ]
+                ],
+            ),
+            None,
+        )
+        if not subject:
+            _logger.error("Access Denied: missing subject identity")
+            raise AccessDenied()
+        validation["user_id"] = subject
+
+        return validation
+
     @api.model
     def auth_oauth(self, provider, params):
         oauth_provider = self.env["auth.oauth.provider"].browse(provider)
@@ -64,23 +103,9 @@ def auth_oauth(self, provider, params):
         if not id_token:
             _logger.error("No id_token in response.")
             raise AccessDenied()
-        validation = oauth_provider._parse_id_token(id_token, access_token)
-        if oauth_provider.data_endpoint:
-            data = requests.get(
-                oauth_provider.data_endpoint,
-                headers={"Authorization": "Bearer %s" % access_token},
-                timeout=10,
-            ).json()
-            validation.update(data)
-        # required check
-        if "sub" in validation and "user_id" not in validation:
-            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
-            # claim:
-            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-            validation["user_id"] = validation["sub"]
-        elif not validation.get("user_id"):
-            _logger.error("user_id claim not found in id_token (after mapping).")
-            raise AccessDenied()
+
+        validation = self._auth_oauth_validate(provider, id_token, access_token)
+
         # retrieve and sign in user
         params["access_token"] = access_token
         login = self._auth_oauth_signin(provider, validation, params)
