auth: Skip OIDC flow if Bearer access_token is present (bug 1979246)

shtrom · shtrom · commit a0825897c6c0 · 2025-08-11T18:01:23.000+10:00
diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -282,12 +282,21 @@ def get_userinfo(self, access_token, id_token, payload):
         return user_response.json()
 
     def authenticate(self, request, **kwargs):
-        """Authenticates a user based on the OIDC code flow."""
+        """Authenticates a user based on a Bearer access_token or the OIDC code flow."""
 
         self.request = request
         if not self.request:
             return None
 
+        # If a bearer token is present in the request, use it to authenticate the user.
+        if authorization := request.META.get("HTTP_AUTHORIZATION"):
+            scheme, token = authorization.split(maxsplit=1)
+            if scheme.lower() == "bearer":
+                # get_or_create_user and get_userinfo uses neither id_token nor payload.
+                # XXX: maybe we only want to _get_ the user, and not create the if they
+                # aren't alrealdy registered.
+                return self.get_or_create_user(token, None, None)
+
         state = self.request.GET.get("state")
         code = self.request.GET.get("code")
         nonce = kwargs.pop("nonce", None)
@@ -366,7 +375,7 @@ def get_or_create_user(self, access_token, id_token, payload):
             return user
         else:
             LOGGER.debug(
-                "Login failed: No user with %s found, and " "OIDC_CREATE_USER is False",
+                "Login failed: No user with %s found, and OIDC_CREATE_USER is False",
                 self.describe_user_by_claims(user_info),
             )
             return None
