get_oauth_user_info seems to parse the wrong field

[melazarus]

Environment

I'm using Airflow 2.0.2 with Flask-Appbuilder version 3.2.3

pip freeze output:
Flask==1.1.2
Flask-AppBuilder==3.2.3
Flask-Babel==1.0.0
Flask-Caching==1.10.1
Flask-JWT-Extended==3.25.1
Flask-Login==0.4.1
Flask-OpenID==1.2.5
Flask-SQLAlchemy==2.5.1
Flask-WTF==0.14.3

The issue:

def get_oauth_user_info in manager.py
section: if provider == "azure"
seems to look in the the "id_token" for a "upn" value.
when debugging I noticed that there is no upn value in the id_token dict but at the same time there is an access_token dict which has the "upn" value.

[dpgaspar]

@melazarus,

Thank you for reporting this, can you provide a sanitised debug log chunk that contains the output from https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py#L597

[melazarus]

Sure, if I have sanitised to much let me know. I have tested locally by exchanging the id_token with the access_token and that seems to work, I can create a pull request if you like.

here is the the debug output you asked:

airflow-webserver_1 | [2021-05-11 09:53:29,386] {manager.py:597} DEBUG - Azure response received :
{ 'token_type': 'Bearer',
'scope': 'email Mail.Read openid profile User.Read',
'expires_in': 3599,
'ext_expires_in': 3599,
'access_token': '<Removed by me, see sanitize decoded version of this JWT string below>',
'id_token': '<Removed by me, see sanitize decoded version of this JWT string below>',
'expires_at': 1620730408 }

<--------- access_token decoded value --------->
{
"aud": SANITIZED,
"iss": "https://sts.windows.net/SANITIZED/",
"iat": SANITIZED,
"nbf": SANITIZED,
"exp": SANITIZED,
"acct": 0,
"acr": "1",
"acrs": [
"urn:user:registersecurityinfo",
"urn:microsoft:req1",
"urn:microsoft:req2",
"urn:microsoft:req3",
"c1",
"c2",
"c3",
"c4",
"c5",
"c6",
"c7",
"c8",
"c9",
"c10",
"c11",
"c12",
"c13",
"c14",
"c15",
"c16",
"c17",
"c18",
"c19",
"c20",
"c21",
"c22",
"c23",
"c24",
"c25"
],
"aio": "SANITIZED",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "Airflow IdP AWS v2",
"appid": "SANITIZED",
"appidacr": "1",
"family_name": "SANITIZED",
"given_name": "SANITIZED",
"idtyp": "user",
"ipaddr": "SANITIZED",
"name": "SANITIZED",
"oid": "SANITIZED",
"platf": "3",
"puid": "SANITIZED",
"rh": "SANITIZED",
"scp": "email Mail.Read openid profile User.Read",
"signin_state": [
"kmsi"
],
"sub": "SANITIZED",
"tenant_region_scope": "EU",
"tid": "SANITIZED",
"unique_name": "SANITIZED",
"upn": "SANITIZED",
"uti": "SANITIZED",
"ver": "1.0",
"wids": [
"SANITIZED"
],
"xms_st": {
"sub": "SANITIZED"
},
"xms_tcdt": SANITIZED
}

<--------- id_token decoded value --------->
{
"aud": "SANITIZED",
"iss": "https://login.microsoftonline.com/SANITIZED/v2.0",
"iat": SANITIZED,
"nbf": SANITIZED,
"exp": SANITIZED,
"email": "SANITIZED",
"name": "SANITIZED",
"nonce": "SANITIZED",
"oid": "SANITIZED",
"preferred_username": "SANITIZED",
"rh": "SANITIZED",
"sub": "SANITIZED",
"tid": "SANITIZED",
"uti": "SANITIZED",
"ver": "2.0"
}

[dpgaspar]

latest 4.3.9 replaced upn by email but still using the id_token #2121