From 105085955092d3adbd176b2e0e03f973a88adee3 Mon Sep 17 00:00:00 2001
From: Mohammad Torkashvand <mohammad.torkashvand@geant.org>
Date: Tue, 25 Jun 2024 15:38:09 +0200
Subject: [PATCH] skip calling oidc userinfo when token is client-credential
 flow

---
 gso/auth/oidc_policy_helper.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gso/auth/oidc_policy_helper.py b/gso/auth/oidc_policy_helper.py
index 96edfbf3..d453888c 100644
--- a/gso/auth/oidc_policy_helper.py
+++ b/gso/auth/oidc_policy_helper.py
@@ -239,11 +239,16 @@ class OIDCUser(HTTPBearer):
                 logger.info("User is not active", url=request.url, user_info=intercepted_token)
                 raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail="User is not active")
 
-            user_info = await self.userinfo(async_request, token)
-
-            user_info["client_id"] = intercepted_token.get("client_id")
+            client_id = intercepted_token.get("client_id")
+            if "sub" not in intercepted_token:
+                return OIDCUserModel(
+                        client_id=client_id
+                )
 
+            user_info = await self.userinfo(async_request, token)
+            user_info["client_id"] = client_id
             logger.debug("OIDCUserModel object.", intercepted_token=intercepted_token)
+
             return user_info
 
     async def check_openid_config(self, async_request: AsyncClient) -> None:
-- 
GitLab