def callback(self, state_token, authz_code, trans, login_redirect_url):
# Take state value to validate from token. OAuth2Session.fetch_token
# will validate that the state query parameter value on the URL matches
# this value.
state_cookie = trans.get_cookie(name=STATE_COOKIE_NAME)
oauth2_session = self._create_oauth2_session(state=state_cookie)
token = self._fetch_token(oauth2_session, trans)
log.debug("token={}".format(json.dumps(token, indent=True)))
access_token = token['access_token']
id_token = token['id_token']
refresh_token = token[
'refresh_token'] if 'refresh_token' in token else None
expiration_time = datetime.now() + timedelta(
seconds=token['expires_in'])
refresh_expiration_time = (
datetime.now() + timedelta(seconds=token['refresh_expires_in'])
) if 'refresh_expires_in' in token else None
# Get nonce from token['id_token'] and validate. 'nonce' in the
# id_token is a hash of the nonce stored in the NONCE_COOKIE_NAME
# cookie.
id_token_decoded = jwt.decode(id_token, verify=False)
nonce_hash = id_token_decoded['nonce']
self._validate_nonce(trans, nonce_hash)
# Get userinfo and lookup/create Galaxy user record
userinfo = self._get_userinfo(oauth2_session)
log.debug("userinfo={}".format(json.dumps(userinfo, indent=True)))
username = userinfo['preferred_username']
email = userinfo['email']
user_id = userinfo['sub']
# Create or update custos_authnz_token record
custos_authnz_token = self._get_custos_authnz_token(
trans.sa_session, user_id, self.config['provider'])
if custos_authnz_token is None:
user = self._get_current_user(trans)
if not user:
user = self._create_user(trans.sa_session, username, email)
custos_authnz_token = CustosAuthnzToken(
user=user,
external_user_id=user_id,
provider=self.config['provider'],
access_token=access_token,
id_token=id_token,
refresh_token=refresh_token,
expiration_time=expiration_time,
refresh_expiration_time=refresh_expiration_time)
else:
custos_authnz_token.access_token = access_token
custos_authnz_token.id_token = id_token
custos_authnz_token.refresh_token = refresh_token
custos_authnz_token.expiration_time = expiration_time
custos_authnz_token.refresh_expiration_time = refresh_expiration_time
trans.sa_session.add(custos_authnz_token)
trans.sa_session.flush()
return login_redirect_url, custos_authnz_token.user
def callback(self, state_token, authz_code, trans, login_redirect_url):
# Take state value to validate from token. OAuth2Session.fetch_token
# will validate that the state query parameter value on the URL matches
# this value.
state_cookie = trans.get_cookie(name=STATE_COOKIE_NAME)
oauth2_session = self._create_oauth2_session(state=state_cookie)
token = self._fetch_token(oauth2_session, trans)
log.debug("token={}".format(json.dumps(token, indent=True)))
access_token = token['access_token']
id_token = token['id_token']
refresh_token = token[
'refresh_token'] if 'refresh_token' in token else None
expiration_time = datetime.now() + timedelta(
seconds=token.get('expires_in', 3600))
refresh_expiration_time = (
datetime.now() + timedelta(seconds=token['refresh_expires_in'])
) if 'refresh_expires_in' in token else None
# Get nonce from token['id_token'] and validate. 'nonce' in the
# id_token is a hash of the nonce stored in the NONCE_COOKIE_NAME
# cookie.
id_token_decoded = jwt.decode(id_token, verify=False)
nonce_hash = id_token_decoded['nonce']
self._validate_nonce(trans, nonce_hash)
# Get userinfo and lookup/create Galaxy user record
if id_token_decoded.get('email', None):
userinfo = id_token_decoded
else:
userinfo = self._get_userinfo(oauth2_session)
log.debug("userinfo={}".format(json.dumps(userinfo, indent=True)))
email = userinfo['email']
# Check if username if already taken
username = userinfo.get('preferred_username',
self._generate_username(trans, email))
user_id = userinfo['sub']
# Create or update custos_authnz_token record
custos_authnz_token = self._get_custos_authnz_token(
trans.sa_session, user_id, self.config['provider'])
if custos_authnz_token is None:
user = trans.user
if not user:
existing_user = trans.sa_session.query(User).filter_by(
email=email).first()
if existing_user:
# If there is only a single external authentication
# provider in use, trust the user provided and
# automatically associate.
# TODO: Future work will expand on this and provide an
# interface for when there are multiple auth providers
# allowing explicit authenticated association.
if (trans.app.config.enable_oidc
and len(trans.app.config.oidc) == 1 and len(
trans.app.auth_manager.authenticators) == 0):
user = existing_user
else:
message = 'There already exists a user this email. To associate this external login, you must first be logged in as that existing account.'
log.exception(message)
raise exceptions.AuthenticationFailed(message)
else:
user = trans.app.user_manager.create(email=email,
username=username)
trans.sa_session.add(user)
trans.sa_session.flush()
custos_authnz_token = CustosAuthnzToken(
user=user,
external_user_id=user_id,
provider=self.config['provider'],
access_token=access_token,
id_token=id_token,
refresh_token=refresh_token,
expiration_time=expiration_time,
refresh_expiration_time=refresh_expiration_time)
else:
custos_authnz_token.access_token = access_token
custos_authnz_token.id_token = id_token
custos_authnz_token.refresh_token = refresh_token
custos_authnz_token.expiration_time = expiration_time
custos_authnz_token.refresh_expiration_time = refresh_expiration_time
trans.sa_session.add(custos_authnz_token)
trans.sa_session.flush()
return login_redirect_url, custos_authnz_token.user