fix for keycloak authentication

docs/keycloak_setup.md

@@ -18,7 +18,7 @@ the DNS name and port for the Keycloak server.  Replace "keycloak_realm" with th
 in Keycloak.
 
     openid_provider: keycloak  # Use "keycloak" as the authentication provider
-    openid_url: http://<server_dns>:<server_port>/auth/realms/<keycloak_realm>/.well-known/openid-configuration   # update to use your Keycloak location and realm
+    openid_url: http://<server_dns>:<server_port>/realms/<keycloak_realm>/.well-known/openid-configuration   # update to use your Keycloak location and realm
     openid_audience: account # OpenID audience.  Keycloak client id.
     openid_claims: preferred_username,appid   # Comma seperated list of claims to resolve to usernames.
 

hsds/util/jwtUtil.py

@@ -95,7 +95,7 @@ def verifyBearerToken(app, token):
         log.warn(msg)
         raise HTTPInternalServerError()
     if res.status_code != 200:
-        log.warn("Bad response from {openid_url}: {res.status_code}")
+        log.warn(f"Bad response from {openid_url}: {res.status_code}")
         if res.status_code == 404:
             raise HTTPNotFound()
         elif res.status_code == 401:
@@ -183,6 +183,11 @@ def verifyBearerToken(app, token):
             log.debug(f"got value: {value} for claim: {name}")
             if name == "unique_name":
                 username = value
+            elif name == "preferred_username":
+                if username:
+                    log.debug(f"ignoring {name} since preferred_username is set")
+                else:
+                    username = value
             elif name == "appid":
                 pass  # tbd
             elif name == "roles":

tests/unit/chunk_util_test.py

@@ -83,6 +83,7 @@ def testGuessChunk(self):
 
         shape = {"class": "H5S_SIMPLE", "dims": [100, 100, 100]}
         layout = guessChunk(shape, typesize)
+        print("layout:", layout)
         self.assertTrue(len(layout), 3)
         for i in range(3):
             self.assertTrue(layout[i] >= 1)