Keycloak ID key change

[nijel]

Expected behaviour

Upgrade from 4.4.2 to 4.5.0 changes behavior of Keycloak authentication, see WeblateOrg/docker#2048.

Actual behaviour

#815 by @derlin is probably the root cause here:

• It removes ID_KEY from the backend, makes it effectively use value from a parent class:

  social-core/social_core/backends/oauth.py

  Line 43 in b9d9937

  ID_KEY = "id"

• While this attribute is still used in the partial pipeline:

  social-core/social_core/utils.py

  Lines 192 to 200 in b9d9937

  	# Normally when resuming a pipeline, request_data will be empty. We
  	# only need to check for a uid match if new data was provided (i.e.
  	# if current request specifies the ID_KEY).
  	if backend.ID_KEY in request_data:
  	id_from_partial = partial.kwargs.get("uid")
  	id_from_request = request_data.get(backend.ID_KEY)
  	if id_from_partial != id_from_request:
  	partial_matches_request = False

Any other comments?

Possible solutions:

• Revert Make Keycloak's ID_KEY configurable #815
• Make ID_KEY configurable for all backends, in a way that this breakage cannot happen

There is at least one additional backend (Seznam) affected by this.

[RJPercival]

I've created a revert PR (#858) since a fix PR doesn't seem to be forthcoming.

[derlin]

I am sorry for the disagreement, I really wasn't thinking this would be hardcoded in utils. I still believe having a way to configure the ID_KEY for OAuth-based backend is an important feature.

I unfortunately don't have time to provide a fix in the upcoming week, would someone else have some time to investigate?

[RJPercival]

@nijel, what's the path forward here?

[RJPercival]

@nijel, friendly ping - it's been a week. Can we merge the revert PR please so this unblocks releasing a new version?

[nijel]

I've merged that, given we don't have a better solution for now. #862 is the issue to track this feature.