From 55322995a1695f6c29b5a043b5f51a7a11e70f01 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 27 Dec 2020 14:54:27 +0100
Subject: [PATCH] providers/oauth2: make iss field configurable

---
 authentik/providers/oauth2/api.py             |  1 +
 authentik/providers/oauth2/forms.py           |  7 +++--
 .../0008_oauth2provider_issuer_mode.py        | 28 +++++++++++++++++++
 authentik/providers/oauth2/models.py          | 18 ++++++++++++
 swagger.yaml                                  |  7 +++++
 5 files changed, 58 insertions(+), 3 deletions(-)
 create mode 100644 authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py

diff --git a/authentik/providers/oauth2/api.py b/authentik/providers/oauth2/api.py
index 443a4da19..5b79ae37d 100644
--- a/authentik/providers/oauth2/api.py
+++ b/authentik/providers/oauth2/api.py
@@ -27,6 +27,7 @@ class OAuth2ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "redirect_uris",
             "sub_mode",
             "property_mappings",
+            "issuer_mode",
             "verbose_name",
             "verbose_name_plural",
         ]
diff --git a/authentik/providers/oauth2/forms.py b/authentik/providers/oauth2/forms.py
index 18d9bbfcf..f583a4473 100644
--- a/authentik/providers/oauth2/forms.py
+++ b/authentik/providers/oauth2/forms.py
@@ -53,14 +53,15 @@ class OAuth2ProviderForm(forms.ModelForm):
             "client_type",
             "client_id",
             "client_secret",
-            "response_type",
             "token_validity",
-            "include_claims_in_id_token",
             "jwt_alg",
+            "response_type",
+            "property_mappings",
             "rsa_key",
             "redirect_uris",
             "sub_mode",
-            "property_mappings",
+            "include_claims_in_id_token",
+            "issuer_mode",
         ]
         widgets = {
             "name": forms.TextInput(),
diff --git a/authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py b/authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py
new file mode 100644
index 000000000..a96255c81
--- /dev/null
+++ b/authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.1.4 on 2020-12-27 13:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0007_auto_20201016_1107"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="oauth2provider",
+            name="issuer_mode",
+            field=models.TextField(
+                choices=[
+                    ("global", "Same identifier is used for all providers"),
+                    (
+                        "per_provider",
+                        "Each provider has a different issuer, based on the application slug.",
+                    ),
+                ],
+                default="per_provider",
+                help_text="Configure how the issuer field of the ID Token should be filled.",
+            ),
+        ),
+    ]
diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py
index b44638b00..1f9fa0d6a 100644
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@@ -70,6 +70,15 @@ class SubModes(models.TextChoices):
     )
 
 
+class IssuerMode(models.TextChoices):
+    """Configure how the `iss` field is created."""
+
+    GLOBAL = "global", _("Same identifier is used for all providers")
+    PER_PROVIDER = "per_provider", _(
+        "Each provider has a different issuer, based on the application slug."
+    )
+
+
 class ResponseTypes(models.TextChoices):
     """Response Type required by the client."""
 
@@ -193,6 +202,13 @@ class OAuth2Provider(Provider):
             )
         ),
     )
+    issuer_mode = models.TextField(
+        choices=IssuerMode.choices,
+        default=IssuerMode.PER_PROVIDER,
+        help_text=_(
+            ("Configure how the issuer field of the ID Token should be filled.")
+        ),
+    )
 
     rsa_key = models.ForeignKey(
         CertificateKeyPair,
@@ -254,6 +270,8 @@ class OAuth2Provider(Provider):
 
     def get_issuer(self, request: HttpRequest) -> Optional[str]:
         """Get issuer, based on request"""
+        if self.issuer_mode == IssuerMode.GLOBAL:
+            return request.build_absolute_uri("/")
         try:
             mountpoint = AuthentikProviderOAuth2Config.mountpoints[
                 "authentik.providers.oauth2.urls"
diff --git a/swagger.yaml b/swagger.yaml
index d5c7970b5..7fcdb62f5 100755
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -7887,6 +7887,13 @@ definitions:
           type: string
           format: uuid
         uniqueItems: true
+      issuer_mode:
+        title: Issuer mode
+        description: Configure how the issuer field of the ID Token should be filled.
+        type: string
+        enum:
+          - global
+          - per_provider
       verbose_name:
         title: Verbose name
         type: string