Bug/okta OIDC configuration url fix

social_core/backends/okta.py

@@ -3,7 +3,7 @@
     https://python-social-auth.readthedocs.io/en/latest/backends/okta.html
 """
 
-from urllib.parse import urljoin
+from urllib.parse import urljoin, urlparse, urlunparse
 
 from ..utils import append_slash
 from .oauth import BaseOAuth2
@@ -22,15 +22,26 @@ def access_token_url(self):
     def _url(self, path):
         return urljoin(append_slash(self.setting("API_URL")), path)
 
-    def oidc_config(self):
-        return self.get_json(
-            self._url(
-                "/.well-known/openid-configuration?client_id={}".format(
-                    self.setting("KEY")
-                )
-            )
+    def oidc_config_url(self):
+        # https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration
+        url = urlparse(self.api_url())
+
+        # If the URL path does not contain an authorizedServerId, we need
+        # to truncate the path in order to generate a proper openid-configuration
+        # URL.
+        if url.path == "/oauth2/":
+            url = url._replace(path="")
+
+        return urljoin(
+            urlunparse(url),
+            "./.well-known/openid-configuration?client_id={}".format(
+                self.setting("KEY")
+            ),
         )
 
+    def oidc_config(self):
+        return self.get_json(self.oidc_config_url())
+
 
 class OktaOAuth2(OktaMixin, BaseOAuth2):
     """Okta OAuth authentication backend"""

social_core/tests/backends/test_okta.py

@@ -144,30 +144,24 @@ def setUp(self):
             status=200,
             body=self.openid_config_body,
         )
-        oidc_config = json.loads(self.openid_config_body)
 
-        def jwks(_request, _uri, headers):
-            return 200, headers, json.dumps({"keys": [self.key]})
-
-        HTTPretty.register_uri(
-            HTTPretty.GET,
-            oidc_config.get("jwks_uri"),
-            status=200,
-            body=json.dumps({"keys": [self.public_key]}),
+    def test_okta_oidc_config(self):
+        # With no custom authorization server
+        self.strategy.set_settings(
+            {
+                "SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL": "https://dev-000000.oktapreview.com/oauth2",
+            }
         )
-
-        self.backend.JWKS_URI = oidc_config.get("jwks_uri")
-        self.backend.ID_TOKEN_ISSUER = oidc_config.get("issuer")
-
-    def pre_complete_callback(self, start_url):
-        super().pre_complete_callback(start_url)
-        HTTPretty.register_uri(
-            "GET",
-            uri=self.backend.userinfo_url(),
-            status=200,
-            body=json.dumps({"preferred_username": self.expected_username}),
-            content_type="text/json",
+        self.assertEqual(
+            self.backend.oidc_config_url(),
+            "https://dev-000000.oktapreview.com/.well-known/openid-configuration?client_id=a-key",
+        )
+        self.strategy.set_settings(
+            {
+                "SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL": "https://dev-000000.oktapreview.com/oauth2/id-123456",
+            }
+        )
+        self.assertEqual(
+            self.backend.oidc_config_url(),
+            "https://dev-000000.oktapreview.com/oauth2/id-123456/.well-known/openid-configuration?client_id=a-key",
         )
-
-    def test_everything_works(self):
-        self.do_login()