OAuth logic for finding user seems broken

[victornoel]

I couldn't login with google oauth even though the user that was created in the database with the correct email.

The doc says:

This info will be checked with the internal user (user record on User Model), first by username next by email.

So I would expect that if one of those matches, then it's alright.

But in practice, only the username is always checked because the google oauth answer always contains a username (which seems to be generated by FAB since it has a format like google-xxxxxxxx where xxxxxx is the id of the google user).

The incriminating code is:

        if 'username' in userinfo:
            user = self.find_user(username=userinfo['username'])
        elif 'email' in userinfo:
            user = self.find_user(email=userinfo['email'])
        else:
            log.error('User info does not have username or email {0}'.format(userinfo))
            return None

I think that if the first find_user fails, email should be checked.

[victornoel]

For the record, I'm using: Flask-AppBuilder 1.11.1 Flask-OAuthlib 0.9.5 google-auth 1.5.1
google-auth-httplib2 0.0.3
google-auth-oauthlib 0.2.0

[dolfandringa]

This indeed looks like a bug to me if indeed the intended behaviour is that either the username or email should match. Can you shine light on this @dpgaspar? If that is the intended behaviour, a PR (including unittest) that fixes this would be very welcome.

[holandes22]

Any idea when can this fix be merged? it is also affecting the new Airflow UI (based on this project) https://issues.apache.org/jira/browse/AIRFLOW-4153

[keerthanaturlapati]

Hi, any idea when will the fix be merged ?

[apelliciari]

Hi, I have the same issue, please merge!

[mgmorcos]

This issue is also affecting Apache Superset.