Skip to content
Snippets Groups Projects
Commit c6a76147 authored by Nicolas Dandrimont's avatar Nicolas Dandrimont
Browse files

keycloak: always check password

The current logic would bypass the password check when the stored user
information was younger than `refresh_expires_at`, which is a pretty
long timeline.
parent 718074f6
No related branches found
Tags v2.2.3
No related merge requests found
Pipeline #11097 passed
......@@ -144,20 +144,15 @@ class KeycloakBasicAuthentication(BasicAuthentication):
Tuple of deposit_client, None.
"""
oidc_user = self.get_user(user_id)
ttl: Optional[int] = None
if not oidc_user:
try:
oidc_profile = self.client.login(user_id, password)
except KeycloakError as e:
logger.debug("KeycloakError: e: %s", e)
error_msg = keycloak_error_message(e)
raise AuthenticationFailed(error_msg)
oidc_user = oidc_user_from_profile(self.client, oidc_profile)
ttl = int(
oidc_user.refresh_expires_at.timestamp() - timezone.now().timestamp()
)
try:
oidc_profile = self.client.login(user_id, password)
except KeycloakError as e:
logger.debug("KeycloakError: e: %s", e)
error_msg = keycloak_error_message(e)
raise AuthenticationFailed(error_msg)
oidc_user = oidc_user_from_profile(self.client, oidc_profile)
ttl = int(oidc_user.refresh_expires_at.timestamp() - timezone.now().timestamp())
# Making sure the associated deposit client is correctly configured in backend
try:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment