diff --git a/descope/auth.py b/descope/auth.py index 1d70c52d..b222a407 100644 --- a/descope/auth.py +++ b/descope/auth.py @@ -346,9 +346,12 @@ def adjust_properties(self, jwt_response: dict, user_jwt: bool): ) # Save the projectID also in the dict top level - jwt_response["projectId"] = jwt_response.get(SESSION_TOKEN_NAME, {}).get( + issuer = jwt_response.get(SESSION_TOKEN_NAME, {}).get( "iss", None - ) or jwt_response.get(REFRESH_SESSION_TOKEN_NAME, {}).get("iss", None) + ) or jwt_response.get(REFRESH_SESSION_TOKEN_NAME, {}).get("iss", "") + jwt_response["projectId"] = issuer.rsplit("/")[ + -1 + ] # support both url issuer and project ID issuer if user_jwt: # Save the userID also in the dict top level diff --git a/tests/test_auth.py b/tests/test_auth.py index f842e90d..0f3fb283 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -6,6 +6,7 @@ from descope import AuthException, DeliveryMethod from descope.auth import Auth +from descope.common import REFRESH_SESSION_TOKEN_NAME, SESSION_TOKEN_NAME class TestAuth(unittest.TestCase): @@ -265,6 +266,88 @@ def test_exchange_access_key(self): self.assertEqual(jwt_response["keyId"], "U2Cu0j0WPw3YOiPISJb52L0wUVMg") self.assertEqual(jwt_response["projectId"], "P2CtzUhdqpIF2ys9gg7ms06UvtC4") + def test_adjust_properties(self): + self.assertEqual( + Auth.adjust_properties(self, jwt_response={}, user_jwt={}), + {"keyId": None, "projectId": ""}, + ) + + jwt_response = { + SESSION_TOKEN_NAME: { + "permissions": ["perm1"], + "roles": ["role1"], + "tenants": {"bla1": "bla1"}, + "iss": "123456", + "sub": "user-id", + }, + REFRESH_SESSION_TOKEN_NAME: { + "permissions": ["perm2"], + "roles": ["role2"], + "tenants": {"bla2": "bla2"}, + }, + } + + self.assertEqual( + Auth.adjust_properties(self, jwt_response=jwt_response, user_jwt=True), + { + "permissions": ["perm1"], + "projectId": "123456", + "refreshSessionToken": { + "permissions": ["perm2"], + "roles": ["role2"], + "tenants": {"bla2": "bla2"}, + }, + "roles": ["role1"], + "sessionToken": { + "iss": "123456", + "permissions": ["perm1"], + "roles": ["role1"], + "sub": "user-id", + "tenants": {"bla1": "bla1"}, + }, + "tenants": {"bla1": "bla1"}, + "userId": "user-id", + }, + ) + + jwt_response = { + SESSION_TOKEN_NAME: { + "permissions": ["perm1"], + "roles": ["role1"], + "tenants": {"bla1": "bla1"}, + "sub": "user-id", + }, + REFRESH_SESSION_TOKEN_NAME: { + "permissions": ["perm2"], + "roles": ["role2"], + "tenants": {"bla2": "bla2"}, + "iss": "https://descope.com/bla/123456", + }, + } + + self.assertEqual( + Auth.adjust_properties(self, jwt_response=jwt_response, user_jwt=False), + { + "permissions": ["perm1"], + "projectId": "123456", + "refreshSessionToken": { + "iss": "https://descope.com/bla/123456", + "permissions": ["perm2"], + "roles": ["role2"], + "tenants": {"bla2": "bla2"}, + }, + "roles": ["role1"], + "sessionToken": { + "permissions": ["perm1"], + "roles": ["role1"], + "sub": "user-id", + "tenants": {"bla1": "bla1"}, + }, + "tenants": {"bla1": "bla1"}, + "keyId": "user-id", + }, + ) + if __name__ == "__main__": unittest.main()