We tried to extend the GoogleOAuthenticator, and got it to call our authenticate method. Though the id_token is empty.
from oauthenticator.google import GoogleOAuthenticator
async def authenticate(self, handler, data=None):
user = await super().authenticate(handler, data)
user['id_token'] = handler.get_argument('id_token', '')
It’s because the underlying code making the call to Google doesn’t request for the id_token.
That’s done in the code of the HubOAuth that creates the request with just the response_type set to code. What we would need is the response_type to be code id_token
Yes you can for sure say that I am confused between the HubOAuth role and the Authenticator role in all this. Thanks for pointing this out.
I’ve looked at this Google related code multiple times actually.
We couldn’t find a way to get the id_token by extending it.
The google authenticator code doesn’t have anything related to id_token either.
Our understanding is that the id_token is returned by Google when the openid scope is included, which it is by default in the code, and we add it also in our helm chart config for good measure.
We have a work around using just the access_token/refresh_token now, so it’s not blocking.
Would have been super nice if we had been able to get that id_token JWT instead for the integration with our own auth backend.