Fix OIDC login crash from naive/aware datetime mismatch#66
Open
hyzyla wants to merge 1 commit into
Open
Conversation
The OIDC callback created the session expiry as an aware datetime while the rest of the auth code, the LDAP login path and the TIMESTAMP columns use naive UTC. get_access_token then compared them with min(), raising "can't compare offset-naive and offset-aware datetimes" and returning HTTP 500 on the callback. Use naive datetime.utcnow() to match the rest of the codebase.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signing in through OIDC (e.g. Google) returns HTTP 500 on
GET /oidc/{provider}/callback:Cause. The OIDC callback built the session expiry with an aware datetime (
datetime.now(UTC)), while the rest of the auth code uses naive UTC —get_access_token, the LDAP login path (graph/actions.py), and theTIMESTAMPcolumns.get_access_tokenthen evaluatesmin(session_exp, datetime.utcnow() + ...), which raises when one operand is aware and the other naive. The OIDC callback was the only place in the codebase creating an aware datetime, so it was the only flow that hit this.Fix. Use naive
datetime.utcnow()in the callback to match the rest of the codebase, and drop the now-unusedUTCimport. This is consistent with existing usage (DTZ003is already in the ruff ignore list).Validated by deploying a patched build to a dev environment: Google login now completes and the session cookie is set.