From 1f038ecee2a728696a8d233448adce1fab14e754 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Sat, 14 Jan 2023 20:22:06 +0100
Subject: [PATCH] providers/oauth2: fallback to anonymous user for policy
 engine

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/providers/oauth2/views/token.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
index 9567d65e0..c35485253 100644
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -11,6 +11,7 @@ from django.utils.decorators import method_decorator
 from django.utils.timezone import datetime, now
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
+from guardian.shortcuts import get_anonymous_user
 from jwt import PyJWK, PyJWTError, decode
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
@@ -104,7 +105,8 @@ class TokenParams:
         with Hub.current.start_span(
             op="authentik.providers.oauth2.token.policy",
         ):
-            engine = PolicyEngine(app, self.user, request)
+            user = self.user if self.user else get_anonymous_user()
+            engine = PolicyEngine(app, user, request)
             engine.request.context["oauth_scopes"] = self.scope
             engine.request.context["oauth_grant_type"] = self.grant_type
             engine.request.context["oauth_code_verifier"] = self.code_verifier