From 67d1f06c910f38de0eb459a1086e46c627fb8357 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 14 Jan 2023 19:53:43 +0100 Subject: [PATCH] providers/oauth2: use guardian anonymous user to get claims for provider info Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/views/provider.py | 4 ++-- authentik/providers/oauth2/views/token.py | 12 ++++++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index 99b0cea86..0c8cbc34d 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -5,7 +5,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse from django.shortcuts import get_object_or_404, reverse from django.views import View from structlog.stdlib import get_logger - +from guardian.shortcuts import get_anonymous_user from authentik.core.exceptions import PropertyMappingExpressionException from authentik.core.models import Application from authentik.providers.oauth2.constants import ( @@ -130,7 +130,7 @@ class ProviderInfoView(View): value = None try: value = scope.evaluate( - user=self.request.user, + user=get_anonymous_user(), request=self.request, provider=provider, ) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 5abeb2ab0..9567d65e0 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -112,7 +112,9 @@ class TokenParams: engine.build() result = engine.result if not result.passing: - LOGGER.info("User not authenticated for application", user=self.user, app=app) + LOGGER.info( + "User not authenticated for application", user=self.user, app_slug=app.slug + ) raise TokenError("invalid_grant") def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest): @@ -303,10 +305,10 @@ class TokenParams: source: Optional[OAuthSource] = None parsed_key: Optional[PyJWK] = None for source in self.provider.jwks_sources.all(): - LOGGER.debug("verifying jwt with source", source=source.name) + LOGGER.debug("verifying jwt with source", source=source.slug) keys = source.oidc_jwks.get("keys", []) for key in keys: - LOGGER.debug("verifying jwt with key", source=source.name, key=key.get("kid")) + LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid")) try: parsed_key = PyJWK.from_dict(key) token = decode( @@ -320,12 +322,14 @@ class TokenParams: # AttributeError is raised when the configured JWK is a private key # and not a public key except (PyJWTError, ValueError, TypeError, AttributeError) as exc: - LOGGER.warning("failed to validate jwt", exc=exc) + LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug) if not token: LOGGER.warning("No token could be verified") raise TokenError("invalid_grant") + LOGGER.debug("successfully verified jwt with source", source=source.slug) + if "exp" in token: exp = datetime.fromtimestamp(token["exp"]) # Non-timezone aware check since we assume `exp` is in UTC