providers/oauth2: use guardian anonymous user to get claims for provider info

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-14 19:53:43 +01:00
parent d37de6bc00
commit 67d1f06c91
No known key found for this signature in database
2 changed files with 10 additions and 6 deletions

View file

@ -5,7 +5,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
from django.shortcuts import get_object_or_404, reverse from django.shortcuts import get_object_or_404, reverse
from django.views import View from django.views import View
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from guardian.shortcuts import get_anonymous_user
from authentik.core.exceptions import PropertyMappingExpressionException from authentik.core.exceptions import PropertyMappingExpressionException
from authentik.core.models import Application from authentik.core.models import Application
from authentik.providers.oauth2.constants import ( from authentik.providers.oauth2.constants import (
@ -130,7 +130,7 @@ class ProviderInfoView(View):
value = None value = None
try: try:
value = scope.evaluate( value = scope.evaluate(
user=self.request.user, user=get_anonymous_user(),
request=self.request, request=self.request,
provider=provider, provider=provider,
) )

View file

@ -112,7 +112,9 @@ class TokenParams:
engine.build() engine.build()
result = engine.result result = engine.result
if not result.passing: if not result.passing:
LOGGER.info("User not authenticated for application", user=self.user, app=app) LOGGER.info(
"User not authenticated for application", user=self.user, app_slug=app.slug
)
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest): def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
@ -303,10 +305,10 @@ class TokenParams:
source: Optional[OAuthSource] = None source: Optional[OAuthSource] = None
parsed_key: Optional[PyJWK] = None parsed_key: Optional[PyJWK] = None
for source in self.provider.jwks_sources.all(): for source in self.provider.jwks_sources.all():
LOGGER.debug("verifying jwt with source", source=source.name) LOGGER.debug("verifying jwt with source", source=source.slug)
keys = source.oidc_jwks.get("keys", []) keys = source.oidc_jwks.get("keys", [])
for key in keys: for key in keys:
LOGGER.debug("verifying jwt with key", source=source.name, key=key.get("kid")) LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid"))
try: try:
parsed_key = PyJWK.from_dict(key) parsed_key = PyJWK.from_dict(key)
token = decode( token = decode(
@ -320,12 +322,14 @@ class TokenParams:
# AttributeError is raised when the configured JWK is a private key # AttributeError is raised when the configured JWK is a private key
# and not a public key # and not a public key
except (PyJWTError, ValueError, TypeError, AttributeError) as exc: except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
LOGGER.warning("failed to validate jwt", exc=exc) LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug)
if not token: if not token:
LOGGER.warning("No token could be verified") LOGGER.warning("No token could be verified")
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
LOGGER.debug("successfully verified jwt with source", source=source.slug)
if "exp" in token: if "exp" in token:
exp = datetime.fromtimestamp(token["exp"]) exp = datetime.fromtimestamp(token["exp"])
# Non-timezone aware check since we assume `exp` is in UTC # Non-timezone aware check since we assume `exp` is in UTC