providers/oauth2: if no scopes are sent in authorize request, select all configured scopes
closes #3112 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
d11ce0a86e
commit
23273f53cc
|
@ -55,6 +55,7 @@ from authentik.providers.oauth2.models import (
|
||||||
OAuth2Provider,
|
OAuth2Provider,
|
||||||
ResponseMode,
|
ResponseMode,
|
||||||
ResponseTypes,
|
ResponseTypes,
|
||||||
|
ScopeMapping,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
|
from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
|
||||||
from authentik.providers.oauth2.views.userinfo import UserInfoView
|
from authentik.providers.oauth2.views.userinfo import UserInfoView
|
||||||
|
@ -215,6 +216,16 @@ class OAuthAuthorizationParams:
|
||||||
|
|
||||||
def check_scope(self):
|
def check_scope(self):
|
||||||
"""Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
|
"""Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
|
||||||
|
if len(self.scope) == 0:
|
||||||
|
default_scope_names = set(
|
||||||
|
ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
|
||||||
|
"scope_name", flat=True
|
||||||
|
)
|
||||||
|
)
|
||||||
|
self.scope = default_scope_names
|
||||||
|
LOGGER.info(
|
||||||
|
"No scopes requested, defaulting to all configured scopes", scopes=self.scope
|
||||||
|
)
|
||||||
if SCOPE_OPENID not in self.scope and (
|
if SCOPE_OPENID not in self.scope and (
|
||||||
self.grant_type == GrantTypes.HYBRID
|
self.grant_type == GrantTypes.HYBRID
|
||||||
or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN]
|
or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN]
|
||||||
|
@ -240,11 +251,8 @@ class OAuthAuthorizationParams:
|
||||||
|
|
||||||
def check_code_challenge(self):
|
def check_code_challenge(self):
|
||||||
"""PKCE validation of the transformation method."""
|
"""PKCE validation of the transformation method."""
|
||||||
if self.code_challenge:
|
if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]:
|
||||||
if not (self.code_challenge_method in ["plain", "S256"]):
|
raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
|
||||||
raise AuthorizeError(
|
|
||||||
self.redirect_uri, "invalid_request", self.grant_type, self.state
|
|
||||||
)
|
|
||||||
|
|
||||||
def create_code(self, request: HttpRequest) -> AuthorizationCode:
|
def create_code(self, request: HttpRequest) -> AuthorizationCode:
|
||||||
"""Create an AuthorizationCode object for the request"""
|
"""Create an AuthorizationCode object for the request"""
|
||||||
|
|
|
@ -55,3 +55,26 @@ if "my-admin-scope" in request.context["oauth_scopes"]:
|
||||||
return ak_is_group_member(request.user, name="my-admin-group")
|
return ak_is_group_member(request.user, name="my-admin-group")
|
||||||
return True
|
return True
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Special scopes
|
||||||
|
|
||||||
|
#### GitHub compatibility
|
||||||
|
|
||||||
|
- `user`: No-op, is accepted for compatibility but does not give access to any resources
|
||||||
|
- `read:user`: Same as above
|
||||||
|
- `user:email`: Allows read-only access to `/user`, including email address
|
||||||
|
- `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams.
|
||||||
|
|
||||||
|
#### authentik
|
||||||
|
|
||||||
|
- `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user
|
||||||
|
|
||||||
|
## Default scopes
|
||||||
|
|
||||||
|
:::info
|
||||||
|
Requires authentik 2022.7
|
||||||
|
:::
|
||||||
|
|
||||||
|
When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
|
||||||
|
|
||||||
|
This does _not_ apply to special scopes, as those are not configurable in the provider.
|
||||||
|
|
|
@ -30,6 +30,10 @@ slug: "2022.7"
|
||||||
|
|
||||||
Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates.
|
Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates.
|
||||||
|
|
||||||
|
- OAuth2 Provider default Scopes
|
||||||
|
|
||||||
|
Starting with authentik 2022.7, when an OAuth client doesn't specify any scopes, authentik will treat the request as if all the configured scopes of that provider had been requested. Normal consent is still required depending on the configured flow. No special scopes will be added, as those can't be selected in the configuration.
|
||||||
|
|
||||||
## Minor changes/fixes
|
## Minor changes/fixes
|
||||||
|
|
||||||
- api: add basic jwt support with required scope (#2624)
|
- api: add basic jwt support with required scope (#2624)
|
||||||
|
|
Reference in a new issue