diff --git a/oauthenticator/oauth2.py b/oauthenticator/oauth2.py index 724b98c5..661baaf7 100644 --- a/oauthenticator/oauth2.py +++ b/oauthenticator/oauth2.py @@ -563,7 +563,7 @@ def _refresh_pre_spawn_default(self): - True (no change) - False (require new login) - - auth_model (dict - the new auth model, if anything should be changeed) + - auth_model (dict - the new auth model, if anything should be changed) - None (proceed with default refresh_user behavior - allows overriding refresh_user behavior for _some_ users) @@ -1141,12 +1141,21 @@ async def token_to_user(self, token_info): id_token, audience=self.client_id, options=dict( - verify_signature=False, verify_aud=True, verify_exp=True + # setting verify_signature to False makes all other + # verification default to False, making us need to + # opt-in to what we want to check + verify_signature=False, + verify_aud=True, + verify_exp=True, ), ) + except jwt.InvalidAudienceError: + raise + except jwt.ExpiredSignatureError: + raise except Exception as err: raise web.HTTPError( - 500, f"Unable to decode id token: {id_token}\n{err}" + 500, f"Unknown error decoding id token: {id_token}\n{err}" ) access_token = token_info["access_token"] @@ -1381,6 +1390,10 @@ async def refresh_user(self, user, handler=None, **kwargs): auth_model = None try: auth_model = await self._token_to_auth_model(token_info) + except jwt.ExpiredSignatureError: + self.log.info( + f"id_token expired for {user.name}. Will try to refresh, if possible." + ) except HTTPClientError as e: # assume any client error means an expired token # most likely 401 or 403 for well-behaved providers @@ -1390,6 +1403,7 @@ async def refresh_user(self, user, handler=None, **kwargs): ) else: raise + refresh_token = auth_state.get("refresh_token", None) if refresh_token and not auth_model: self.log.info(f"Refreshing oauth access token for {user.name}")