Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
|
@aibaq this is a great start. to help me understand the issue a bit more, in what scenario did you encounter this issue? I would expect that a user would have logged in at least once by the time get_id_token_dictionary was called. I'd like to understand how this was occurring to both correct my expectations and ensure there isn't a bug somewhere else that is allow a token to be generated for a user that isn't authenticated. It also looks like there is a code path that is uncovered that will need to be tested. |
There was a problem hiding this comment.
Pull Request Overview
This pull request fixes a TypeError that occurs at the /o/token/ endpoint when using OIDC and the Django User's last_login field is null. The fix adds a null check for last_login and provides a fallback value using the current timestamp.
- Added null safety check for
request.user.last_loginbefore accessing it - Set
timezone.now().timestamp()as fallback whenlast_loginis null - Added test case to verify the fix works with null
last_loginvalues
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| oauth2_provider/oauth2_validators.py | Added null check for last_login and fallback to current timestamp |
| tests/test_oauth2_validators.py | Added test setup to simulate user with null last_login |
| CHANGELOG.md | Added entry for the TypeError fix |
| AUTHORS | Added contributor name |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
@aibaq We won't be able to close this without the test coverage and details so we can reproduce the bug. |
|
For context, we recently hit the same error after upgrading oauthlib from 3.2 to 3.3. The "id_token" is now included in refresh token responses when the the However, it's unclear for me how this should behave for users who interact only with OAuth applications. For these users, their |
|
@amatissart thanks for the additional context. I'm definitely open to the PR. As you noted the guidance with regard to last_login is unclear. I see there is a test for the case, but it explicitly sets user.last_login to None. I'd like a clear understanding of how this happens in the wild and for that to be clearly documented in the code at the conditional or in a test. The test explicitly sets the user.last_login to none, which is a bit synthetic. I feel like the field being nullabe is probably sufficient for having some sort of fallback... but that raises the question of how should we handle this when user.last_login is not set? Is now appropriate? Should auth_time be omitted in these cases, it is optional after all? Should we look to the token chain and look for a a created time on the earliest token there? Or are we missing a mechanism to track session time that allows us to provide a reliable auth_time that can be used for session expiration? If user.last_login is not set, should we set it and then use that for auth_time? I want to be sure we're doing the right thing, but I have limited time to research these things as a maintainer. We really depend on the support of the wider community and contributors who are focused on these issues to help us ensure we're doing what's right for the wider user community... |
Fixes #
Description of the Change
Django User's last_login field is nullable, so
/o/token/endpoint raises TypeError when last_login is null when using oidcThis fix sets timezone.now() as a default value for auth_time
Checklist
CHANGELOG.mdupdated (only for user relevant changes)AUTHORS