From c904c98592da6bb40bbb161b7d70a8c1f5d19159 Mon Sep 17 00:00:00 2001
From: John Readey <jreadey@hdfgroup.org>
Date: Sat, 14 Dec 2024 16:24:59 -0600
Subject: [PATCH] fix for keycloak authentication

---
 docs/keycloak_setup.md        | 2 +-
 hsds/util/jwtUtil.py          | 7 ++++++-
 tests/unit/chunk_util_test.py | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/keycloak_setup.md b/docs/keycloak_setup.md
index ce59fa3c..2aff18df 100644
--- a/docs/keycloak_setup.md
+++ b/docs/keycloak_setup.md
@@ -18,7 +18,7 @@ the DNS name and port for the Keycloak server.  Replace "keycloak_realm" with th
 in Keycloak.
 
     openid_provider: keycloak  # Use "keycloak" as the authentication provider
-    openid_url: http://<server_dns>:<server_port>/auth/realms/<keycloak_realm>/.well-known/openid-configuration   # update to use your Keycloak location and realm
+    openid_url: http://<server_dns>:<server_port>/realms/<keycloak_realm>/.well-known/openid-configuration   # update to use your Keycloak location and realm
     openid_audience: account # OpenID audience.  Keycloak client id.
     openid_claims: preferred_username,appid   # Comma seperated list of claims to resolve to usernames.
 
diff --git a/hsds/util/jwtUtil.py b/hsds/util/jwtUtil.py
index 5127200b..38a960c7 100644
--- a/hsds/util/jwtUtil.py
+++ b/hsds/util/jwtUtil.py
@@ -95,7 +95,7 @@ def verifyBearerToken(app, token):
         log.warn(msg)
         raise HTTPInternalServerError()
     if res.status_code != 200:
-        log.warn("Bad response from {openid_url}: {res.status_code}")
+        log.warn(f"Bad response from {openid_url}: {res.status_code}")
         if res.status_code == 404:
             raise HTTPNotFound()
         elif res.status_code == 401:
@@ -183,6 +183,11 @@ def verifyBearerToken(app, token):
             log.debug(f"got value: {value} for claim: {name}")
             if name == "unique_name":
                 username = value
+            elif name == "preferred_username":
+                if username:
+                    log.debug(f"ignoring {name} since preferred_username is set")
+                else:
+                    username = value
             elif name == "appid":
                 pass  # tbd
             elif name == "roles":
diff --git a/tests/unit/chunk_util_test.py b/tests/unit/chunk_util_test.py
index e7450d4b..22954466 100755
--- a/tests/unit/chunk_util_test.py
+++ b/tests/unit/chunk_util_test.py
@@ -83,6 +83,7 @@ def testGuessChunk(self):
 
         shape = {"class": "H5S_SIMPLE", "dims": [100, 100, 100]}
         layout = guessChunk(shape, typesize)
+        print("layout:", layout)
         self.assertTrue(len(layout), 3)
         for i in range(3):
             self.assertTrue(layout[i] >= 1)