hluk / waiverdb

LAST BUILD ON BRANCH fix-oidc-groups

branch: SELECT

CHANGE BRANCH

x

Sync Branches

• No branch selected
• add-image-expiration
• auth-errors
• avoid-updating-python-version
• bump-base-image
• dependabot/pip/cryptography-37.0.2
• dependabot/pip/cryptography-37.0.4
• dependabot/pip/cryptography-38.0.1
• dependabot/pip/cryptography-38.0.3
• dependabot/pip/flask-migrate-4.0.0
• dependabot/pip/flask-migrate-4.0.3
• dependabot/pip/mock-5.0.0
• dependabot/pip/mock-5.0.1
• dependabot/pip/pip-22.3.1
• dependabot/pip/setuptools-67.0.0
• dependabot/pip/sphinx-6.0.0
• dependabot/pip/sphinx-6.1.2
• dependabot/pip/sphinx-6.1.3
• dependabot/pip/sphinxcontrib-httpdomain-1.8.1
• dependabot/pip/sqlalchemy-1.4.37
• dependabot/pip/sqlalchemy-1.4.39
• dependabot/pip/sqlalchemy-1.4.40
• dependabot/pip/sqlalchemy-1.4.41
• dependabot/pip/sqlalchemy-1.4.42
• dependabot/pip/sqlalchemy-1.4.44
• dependabot/pip/sqlalchemy-1.4.45
• dependabot/pip/sqlalchemy-1.4.46
• dependabot/pip/stomp-py-8.1.0
• dependabot/pip/werkzeug-lt-2.3
• dependabot/pip/wheel-0.38.4
• docker-compose-sync
• drop-flask-restful
• drop-waiverdb-cli
• fix-about-version
• fix-docs-build
• fix-duplicate-session
• fix-example-subject-type
• fix-flaky-test
• fix-lock-file-maintenance-schedule
• fix-migrations
• fix-new-sqlalchemy
• fix-oidc-groups
• fix-oidc-token
• fix-stomp-version
• fix-tests
• fix-tox
• fix-tracing
• fix-werkzeug
• hatch
• kafka
• keycloak
• konflux
• master
• monthly-renovate
• oidc-groups
• oidc-login-form
• onboard-konflux
• pdm
• permission-include-following
• poetry
• postgres-update
• pydantic2
• python-3.11
• python-3.12-for-renovatebot
• python-3.13
• refactor-oidc-token
• renovate
• renovate-lock
• revert-werkzeug
• secure-cookies
• show-permissions-warning
• simplify-log-config
• split-permission-users-groups
• sync-with-greenwave
• update
• update-authlib
• update-dependencies
• update-dependencies-monthly
• update-opentelemetry
• update-otel
• update-pydantic
• update-readthedocs
• uv
• uv-3

Build # 23886806496

Build Type

push

github

Committed by hluk

Commit Message

Fall back to decoded access token for OIDC group extraction

When authenticating via the OIDC browser login, the ID token may not
include group claims (realm_access.roles) depending on the Keycloak
mapper configuration. Decode the access token JWT as a fallback source
for OIDC claims using authlib jwt.decode with JWKS verification.

- Skip other auth methods (e.g. Kerberos) when OIDC session is active
- Add decoded access token as a fallback in _oidc_session_sources()
- Use authlib jwt.decode with JWKS verification for access token decoding
- Request 'roles' OIDC scope for Keycloak compatibility
- Set id.token.claim=false in docker Keycloak to match production
- Add admin user to waiverdb-users role for functional tests
- Add Selenium functional test for browser-based OIDC group auth

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
JIRA: RHELWF-13972

Coverage Stats

264 of 368 branches covered (71.74%)

Branch coverage included in aggregate %.

45 of 60 new or added lines in 3 files covered. (75.0%)

14 existing lines in 1 file now uncovered.

2081 of 2437 relevant lines covered (85.39%)

0.85 hits per line