Skip to content

auth/backends: Simplify and improve OIDC authentication

While working on #2267 (closed), I noticed a couple of improvements could be added to the OIDC auth backend implementation:

  • there is no need to query the userinfo endpoint of the OIDC server when authenticating as those information can also be found in the decoded access token

  • use a more reliable access token expiration date (use exp timestamp in decoded token)

  • check groups claim is present in decoded token before trying to read it


Migrated from D2876 (view on Phabricator)

Merge request reports