Azure B2C v2 authentication via generic OIDC back-end produces "KeyError 'access_token'" on page accounts/complete/oidc #7911
Description
Describe the issue
I am using Azure B2C for Weblate authentication via OpenID Connect. I've set the environment variable WEBLATE_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT to the value https://my-company-auth.b2clogin.com/my-company-auth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0.
When I click on the Oidc button on the Weblate login page https://weblate.mycompany.com/accounts/login/, I am redirect to Azure B2C and I see the correct policy login page. I can also log in successfully and I am redirected to https://weblate.mycompany.com/accounts/complete/oidc/.
But then I see the following Django error message:
KeyError at /accounts/complete/oidc/
'access_token'
Request Method: GET
Request URL: https://weblate.mycompany.com/accounts/complete/oidc/?state=pOrucHH1HBEY...
Django Version: 4.0.6
Exception Type: KeyError
Exception Value:
'access_token'
Exception Location: /usr/local/lib/python3.10/site-packages/social_core/backends/open_id_connect.py, line 234, in request_access_token
Python Executable: /usr/local/bin/python
Python Version: 3.10.5
Python Path:
['/',
'/usr/local/lib/python3.10/site-packages/git/ext/gitdb',
'/',
'/usr/local/bin',
'/usr/local/lib/python310.zip',
'/usr/local/lib/python3.10',
'/usr/local/lib/python3.10/lib-dynload',
'/usr/local/lib/python3.10/site-packages',
'/app/data/python',
'/usr/local/lib/python3.10/site-packages/gitdb/ext/smmap']
Server time: Thu, 21 Jul 2022 11:42:04 +0000
I already tried
- I've read and searched the documentation.
- I've searched for similar issues in this repository.
Steps to reproduce the behavior
- Setup Azure B2C as identity provider
- Configure Weblate authentication for OpenID Connect by setting these environment variables.
- Go to Weblates Login-Page
https://weblate.mycompany.com/accounts/login/and click on the button "Oidc". - Log in via the Azure B2C login page.
- Wait until the Weblate redirect uri
https://weblate.mycompany.com/accounts/complete/oidc/is loaded. - Read the Django error message.
Expected behavior
No Django error after login.
Screenshots
No response
Exception traceback
No response
How do you run Weblate?
Docker container
Weblate versions
4.13.1
Weblate deploy checks
No response
Additional context
According to the error message, the problem seems to be here:
https://github.com/python-social-auth/social-core/blob/3d818d67f4969b99a09880f6a6fcf4bf187bdb28/social_core/backends/open_id_connect.py#L234
and the code expects to find the field access_token in the http response from the Azure B2C OIDC.
If that helps, the response from https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/B2C_SIGNUP_SIGNIN/v2.0/.well-known/openid-configuration looks like this:
{
"issuer": "https://mycompanyauth.b2clogin.com/32754e0f-75ef-4654-9eae-779b00b83c55/v2.0/",
"authorization_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/authorize",
"token_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/token",
"end_session_endpoint": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/oauth2/v2.0/logout",
"jwks_uri": "https://mycompanyauth.b2clogin.com/mycompanyauth.onmicrosoft.com/b2c_signup_signin/discovery/v2.0/keys",
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"code id_token",
"code token",
"code id_token token",
"id_token",
"id_token token",
"token",
"token id_token"
],
"scopes_supported": [
"openid"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"name",
"given_name",
"family_name",
"email",
"upn",
"oid",
"idp",
"tid",
"roles",
"isForgotPassword",
"postalCode",
"state",
"country",
"iss",
"iat",
"exp",
"aud",
"acr",
"nonce",
"auth_time"
]
}
Please let me know, if I can provide any further information that might help.