diff --git a/lib/galaxy/authnz/managers.py b/lib/galaxy/authnz/managers.py index 41e82359d9cf..5abf55e47e6c 100644 --- a/lib/galaxy/authnz/managers.py +++ b/lib/galaxy/authnz/managers.py @@ -421,14 +421,11 @@ def find_user_by_access_token_in_provider(self, sa_session, provider, access_tok return user return None except Exception as e: - msg = f"An error occurred when finding user by token: {e}" + msg = f"An error occurred with provider: {provider} when finding user by token: {e}" log.error(msg) return None def find_user_by_access_token(self, sa_session, access_token): - # decoded_token = jwt.decode(access_token, options={"verify_signature": False}) - # issuer = decoded_token["iss"] - # audience = decoded_token["aud"] for provider in self.oidc_backends_config: user = self.find_user_by_access_token_in_provider(sa_session, provider, access_token) if user: diff --git a/test/integration/oidc/test_auth_oidc.py b/test/integration/oidc/test_auth_oidc.py index a1c6ffeec93a..e4fc398dde23 100644 --- a/test/integration/oidc/test_auth_oidc.py +++ b/test/integration/oidc/test_auth_oidc.py @@ -242,6 +242,13 @@ def test_auth_with_another_authorized_client(self): access_token = self._get_keycloak_access_token(client_id="bpaclient", scopes=["gx:*"]) response = self._get("users/current", headers={"Authorization": f"Bearer {access_token}"}) self._assert_status_code_is(response, 200) + assert response.json()["email"] == "gxyuser@galaxy.org" + + def test_auth_with_authorized_client_but_unauthorized_audience(self): + _, response = self._login_via_keycloak("bpaonlyuser", KEYCLOAK_TEST_PASSWORD) + access_token = self._get_keycloak_access_token(client_id="bpaclient", username="bpaonlyuser") + response = self._get("users/current", headers={"Authorization": f"Bearer {access_token}"}) + self._assert_status_code_is(response, 400) def test_auth_with_unauthorized_client(self): _, response = self._login_via_keycloak(KEYCLOAK_TEST_USERNAME, KEYCLOAK_TEST_PASSWORD)