Skip to content

Commit 71608a4

Browse files
committed
fix(api): OIDC 401
1 parent 1802749 commit 71608a4

2 files changed

Lines changed: 10 additions & 2 deletions

File tree

cmdb-api/api/lib/perm/authentication/oauth2/routing.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,9 @@ def login(auth_type):
3939
redirect_uri = "{}://{}{}".format(urlparse(request.referrer).scheme,
4040
urlparse(request.referrer).netloc,
4141
url_for('oauth2.callback', auth_type=auth_type.lower()))
42+
# Persist redirect_uri for callback token exchange to avoid
43+
# reverse proxy Host normalization causing redirect_uri mismatch.
44+
session[f'{auth_type.lower()}_redirect_uri'] = redirect_uri
4245
qs = urlencode({
4346
'client_id': config['client_id'],
4447
'redirect_uri': redirect_uri,
@@ -63,12 +66,16 @@ def callback(auth_type):
6366
if 'code' not in request.values:
6467
return abort(401, 'code is invalid')
6568

69+
redirect_uri = session.get(f'{auth_type.lower()}_redirect_uri') or session.get(
70+
f'{auth_type}_redirect_uri') or url_for(
71+
'oauth2.callback', auth_type=auth_type.lower(), _external=True)
72+
6673
response = requests.post(config['token_url'], data={
6774
'client_id': config['client_id'],
6875
'client_secret': config['client_secret'],
6976
'code': request.values['code'],
7077
'grant_type': current_app.config[f'{auth_type}_GRANT_TYPE'],
71-
'redirect_uri': url_for('oauth2.callback', auth_type=auth_type.lower(), _external=True),
78+
'redirect_uri': redirect_uri,
7279
}, headers={'Accept': 'application/json'})
7380
if response.status_code != 200:
7481
current_app.logger.error(response.text)
@@ -126,6 +133,7 @@ def logout(auth_type):
126133
"acl" in session and session.pop("acl")
127134
"uid" in session and session.pop("uid")
128135
f'{auth_type}_state' in session and session.pop(f'{auth_type}_state')
136+
f'{auth_type}_redirect_uri' in session and session.pop(f'{auth_type}_redirect_uri')
129137
"next" in session and session.pop("next")
130138

131139
redirect_url = url_for('oauth2.login', auth_type=auth_type, _external=True, next=request.referrer)

cmdb-ui/src/views/setting/auth/oauth2.vue

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ export default {
7070
username: 'name',
7171
avatar: 'picture',
7272
},
73-
scopes: this.data_type === 'OAUTH2' ? ['profile', 'email'] : ['profile', 'email', 'openId'],
73+
scopes: this.data_type === 'OAUTH2' ? ['profile', 'email'] : ['profile', 'email', 'openid'],
7474
after_login: '/',
7575
}
7676
return {

0 commit comments

Comments
 (0)