Fix Google SSO login via provider-agnostic user data retrieval (#597)

samdotci · web-flow · commit 528024d5e8b4 · 2025-11-25T18:03:33.000+01:00
diff --git a/back/users/adapter.py b/back/users/adapter.py
@@ -60,7 +60,11 @@ def _get_user_role(self, raw_role_data):
 
     def populate_user(self, request, sociallogin, data):
         user = super().populate_user(request, sociallogin, data)
-        full_data = sociallogin.account.extra_data["id_token"]
+        # Different providers store user data at different nesting levels in `extra_data`
+        # (e.g., Google stores it flat, OpenID Connect nests it under "id_token").
+        # Using get_provider_account().get_user_data() abstracts away these differences.
+        provider_account = sociallogin.account.get_provider_account()
+        full_data = provider_account.get_user_data()
 
         if settings.OIDC_ROLE_PATH_IN_RETURN == "":
             # set default to OTHER
diff --git a/back/users/test_adapter.py b/back/users/test_adapter.py
@@ -1,11 +1,40 @@
 import pytest
 from allauth.socialaccount.models import SocialAccount, SocialLogin
+from allauth.socialaccount.providers.google.provider import GoogleProvider
+from allauth.socialaccount.providers.openid_connect.provider import (
+    OpenIDConnectProvider,
+)
 from django.contrib.auth import get_user_model
 from django.test import override_settings
 
 from .adapter import SocialAccountAdapter
 
 
+def _ensure_provider_registered(provider_id: str, provider_class):
+    """
+    Register a provider if not already registered.
+
+    Necessary as "django-allauth" initializes the registry before the
+    `@override_settings` decorator is applied.
+    """
+    from allauth.socialaccount.providers import registry
+
+    if not registry.provider_map.get(provider_id):
+        registry.register(provider_class)
+
+
+@pytest.fixture
+def register_google_provider():
+    _ensure_provider_registered("google", GoogleProvider)
+    yield
+
+
+@pytest.fixture
+def register_openid_connect_provider():
+    _ensure_provider_registered("openid_connect", OpenIDConnectProvider)
+    yield
+
+
 @pytest.mark.django_db
 @override_settings(OIDC_ROLE_ADMIN_PATTERN="^Administrators.*")
 @override_settings(OIDC_ROLE_MANAGER_PATTERN="^Manager.*")
@@ -36,7 +65,21 @@ def test_get_user_role():
 @override_settings(OIDC_ROLE_MANAGER_PATTERN="^Manager.*")
 @override_settings(OIDC_ROLE_NEW_HIRE_PATTERN="^Newhire.*")
 @override_settings(OIDC_ROLE_PATH_IN_RETURN="details.zoneinfo")
-def test_populate_user(employee_factory):
+@override_settings(
+    SOCIALACCOUNT_PROVIDERS={
+        "openid_connect": {
+            "APPS": [
+                {
+                    "provider_id": "test-server",
+                    "name": "Test Server",
+                    "client_id": "test-client-id",
+                    "secret": "test-secret",
+                }
+            ]
+        }
+    },
+)
+def test_populate_user(employee_factory, register_openid_connect_provider):
     employee = employee_factory()
     account = SocialAccount(
         user=employee,
@@ -64,3 +107,58 @@ def test_populate_user(employee_factory):
     user.save()
     assert get_user_model().objects.count() == 1
     assert get_user_model().objects.first().role == get_user_model().Role.ADMIN
+
+
+@pytest.mark.django_db
+@override_settings(
+    SOCIALACCOUNT_PROVIDERS={
+        "google": {
+            "APPS": [
+                {
+                    "client_id": "test-client-id",
+                    "secret": "test-secret",
+                    "key": "dummy",
+                }
+            ],
+            "AUTH_PARAMS": {
+                "access_type": "offline",
+            },
+            "OAUTH_PKCE_ENABLED": True,
+        }
+    }
+)
+def test_populate_google_user(employee_factory, register_google_provider):
+    employee = employee_factory()
+    account = SocialAccount(
+        user=employee,
+        # See: https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+        extra_data={
+            "iss": "https://accounts.google.com",
+            "azp": "123456789012-0e3b215c34faf2828d7bb66b5f24e992.apps.googleusercontent.com",
+            "aud": "123456789012-0e3b215c34faf2828d7bb66b5f24e992.apps.googleusercontent.com",
+            "sub": "123456789012345678901",
+            "hd": "chiefonboarding.com",
+            "email": "John@chiefonboarding.com",
+            "email_verified": True,
+            "at_hash": "-someHASH",
+            "name": "John Do",
+            "picture": "https://lh3.googleusercontent.com/a/...",
+            "given_name": "John",
+            "family_name": "Do",
+            "iat": 1763729550,
+            "exp": 1763733150,
+        },
+    )
+    sociallogin = SocialLogin(user=employee, account=account)
+
+    data = {
+        "first_name": "John",
+        "last_name": "Do",
+        "email": "John@chiefonboarding.com",
+    }
+    user = SocialAccountAdapter().populate_user(None, sociallogin, data)
+    # saving happens elsewhere, so force save here
+    user.save()
+    assert get_user_model().objects.count() == 1
+    # unlike `test_populate_user`, no role information is present in our data
+    assert get_user_model().objects.first().role == get_user_model().Role.OTHER
