providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/oauth2/views/authorize.py

@@ -99,7 +99,7 @@ class OAuthAuthorizationParams:
         # and POST request.
         query_dict = request.POST if request.method == "POST" else request.GET
         state = query_dict.get("state")
-        redirect_uri = query_dict.get("redirect_uri", "")
+        redirect_uri = query_dict.get("redirect_uri", "").lower()
 
         response_type = query_dict.get("response_type", "")
         grant_type = None
@@ -156,13 +156,20 @@ class OAuthAuthorizationParams:
         if not self.redirect_uri:
             LOGGER.warning("Missing redirect uri.")
             raise RedirectUriError("", allowed_redirect_urls)
-        if len(allowed_redirect_urls) < 1:
+
+        if self.provider.redirect_uris == "":
+            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
+            self.provider.redirect_uris = self.redirect_uri
+            self.provider.save()
+            allowed_redirect_urls = self.provider.redirect_uris.split()
+
+        if self.provider.redirect_uris == "*":
             LOGGER.warning(
-                "Provider has no allowed redirect_uri set, allowing all.",
+                "Provider has wildcard allowed redirect_uri set, allowing all.",
-                allow=self.redirect_uri.lower(),
+                allow=self.redirect_uri,
             )
             return
-        if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
+        if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
             LOGGER.warning(
                 "Invalid redirect uri",
                 redirect_uri=self.redirect_uri,

authentik/providers/oauth2/views/token.py

@@ -66,7 +66,7 @@ class TokenParams:
             provider=provider,
             client_id=client_id,
             client_secret=client_secret,
-            redirect_uri=request.POST.get("redirect_uri", ""),
+            redirect_uri=request.POST.get("redirect_uri", "").lower(),
             grant_type=request.POST.get("grant_type", ""),
             state=request.POST.get("state", ""),
             scope=request.POST.get("scope", "").split(),
@@ -123,21 +123,23 @@ class TokenParams:
             LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
             raise TokenError("unsupported_grant_type")
 
-    def __post_init_code(self, raw_code):
+    def __post_init_code(self, raw_code: str):
         if not raw_code:
             LOGGER.warning("Missing authorization code")
             raise TokenError("invalid_grant")
 
         allowed_redirect_urls = self.provider.redirect_uris.split()
-        if len(allowed_redirect_urls) < 1:
+        if self.provider.redirect_uris == "*":
             LOGGER.warning(
-                "Provider has no allowed redirect_uri set, allowing all.",
+                "Provider has wildcard allowed redirect_uri set, allowing all.",
-                allow=self.redirect_uri.lower(),
+                redirect=self.redirect_uri,
             )
-        elif self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
+        # At this point, no provider should have a blank redirect_uri, in case they do
+        # this will check an empty array and raise an error
+        elif self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
             LOGGER.warning(
                 "Invalid redirect uri",
-                uri=self.redirect_uri,
+                redirect=self.redirect_uri,
                 expected=self.provider.redirect_uris.split(),
             )
             raise TokenError("invalid_client")

web/src/locales/en.po

@@ -2382,8 +2382,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
 msgstr "If multiple providers share an outpost, a self-signed certificate is used."
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
-msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
+msgstr "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
 
 #: src/pages/tenants/TenantForm.ts
 msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@@ -5187,6 +5191,10 @@ msgstr "Title"
 msgid "To"
 msgstr "To"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+
 #: src/pages/users/UserViewPage.ts
 msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
 msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured."

web/src/locales/fr_FR.po

@@ -2366,8 +2366,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
 msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé."
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
-msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
+#~ msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
+msgstr ""
 
 #: src/pages/tenants/TenantForm.ts
 msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@@ -5131,6 +5135,10 @@ msgstr "Titre"
 msgid "To"
 msgstr "À"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr ""
+
 #: src/pages/users/UserViewPage.ts
 msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
 msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré."

web/src/locales/pseudo-LOCALE.po

@@ -2374,7 +2374,11 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
 msgstr ""
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgstr ""
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
 msgstr ""
 
 #: src/pages/tenants/TenantForm.ts
@@ -5167,6 +5171,10 @@ msgstr ""
 msgid "To"
 msgstr ""
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr ""
+
 #: src/pages/users/UserViewPage.ts
 msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
 msgstr ""

web/src/locales/tr.po

@@ -2337,8 +2337,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
 msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır."
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
-msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
+#~ msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
+msgstr ""
 
 #: src/pages/tenants/TenantForm.ts
 msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@@ -5076,6 +5080,10 @@ msgstr "Başlık"
 msgid "To"
 msgstr "Kime"
 
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr ""
+
 #: src/pages/users/UserViewPage.ts
 msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
 msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir."

web/src/pages/providers/oauth2/OAuth2ProviderForm.ts

@@ -171,7 +171,10 @@ ${this.instance?.redirectUris}</textarea
                             ${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
                         </p>
                         <p class="pf-c-form__helper-text">
-                            ${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`}
+                            ${t`If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.`}
+                        </p>
+                        <p class="pf-c-form__helper-text">
+                            ${t`To allow any redirect URI, set this value to "*". Be aware of the possible security implications this can have.`}
                         </p>
                     </ak-form-element-horizontal>
                     <ak-form-element-horizontal label=${t`Signing Key`} name="signingKey">