From 5a25e6d69728cca49da51cecd5b6501e096b883b Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 13 Apr 2021 21:06:04 +0200
Subject: [PATCH] api: add legacy support for older outposts

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/api/auth.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/authentik/api/auth.py b/authentik/api/auth.py
index 6bcd511f7..a2f36c208 100644
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@@ -1,5 +1,5 @@
 """API Authentication"""
-from base64 import b64decode
+from base64 import b64decode, b64encode
 from binascii import Error
 from typing import Any, Optional, Union
 
@@ -15,9 +15,14 @@ LOGGER = get_logger()
 def token_from_header(raw_header: bytes) -> Optional[Token]:
     """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
     auth_credentials = raw_header.decode()
-    # Accept headers with Type format and without
+    # Legacy, accept basic auth thats fully encoded (2021.3 outposts)
     if " " not in auth_credentials:
-        return None
+        try:
+            plain = b64decode(auth_credentials.encode()).decode()
+            auth_type, body = plain.split()
+            auth_credentials = f"{auth_type} {b64encode(body.encode()).decode()}"
+        except (UnicodeDecodeError, Error):
+            return None
     auth_type, auth_credentials = auth_credentials.split()
     if auth_type.lower() not in ["basic", "bearer"]:
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())