providers/oauth2: use guardian anonymous user to get claims for provider info
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
d37de6bc00
commit
67d1f06c91
|
@ -5,7 +5,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
|
||||||
from django.shortcuts import get_object_or_404, reverse
|
from django.shortcuts import get_object_or_404, reverse
|
||||||
from django.views import View
|
from django.views import View
|
||||||
from structlog.stdlib import get_logger
|
from structlog.stdlib import get_logger
|
||||||
|
from guardian.shortcuts import get_anonymous_user
|
||||||
from authentik.core.exceptions import PropertyMappingExpressionException
|
from authentik.core.exceptions import PropertyMappingExpressionException
|
||||||
from authentik.core.models import Application
|
from authentik.core.models import Application
|
||||||
from authentik.providers.oauth2.constants import (
|
from authentik.providers.oauth2.constants import (
|
||||||
|
@ -130,7 +130,7 @@ class ProviderInfoView(View):
|
||||||
value = None
|
value = None
|
||||||
try:
|
try:
|
||||||
value = scope.evaluate(
|
value = scope.evaluate(
|
||||||
user=self.request.user,
|
user=get_anonymous_user(),
|
||||||
request=self.request,
|
request=self.request,
|
||||||
provider=provider,
|
provider=provider,
|
||||||
)
|
)
|
||||||
|
|
|
@ -112,7 +112,9 @@ class TokenParams:
|
||||||
engine.build()
|
engine.build()
|
||||||
result = engine.result
|
result = engine.result
|
||||||
if not result.passing:
|
if not result.passing:
|
||||||
LOGGER.info("User not authenticated for application", user=self.user, app=app)
|
LOGGER.info(
|
||||||
|
"User not authenticated for application", user=self.user, app_slug=app.slug
|
||||||
|
)
|
||||||
raise TokenError("invalid_grant")
|
raise TokenError("invalid_grant")
|
||||||
|
|
||||||
def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
|
def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
|
||||||
|
@ -303,10 +305,10 @@ class TokenParams:
|
||||||
source: Optional[OAuthSource] = None
|
source: Optional[OAuthSource] = None
|
||||||
parsed_key: Optional[PyJWK] = None
|
parsed_key: Optional[PyJWK] = None
|
||||||
for source in self.provider.jwks_sources.all():
|
for source in self.provider.jwks_sources.all():
|
||||||
LOGGER.debug("verifying jwt with source", source=source.name)
|
LOGGER.debug("verifying jwt with source", source=source.slug)
|
||||||
keys = source.oidc_jwks.get("keys", [])
|
keys = source.oidc_jwks.get("keys", [])
|
||||||
for key in keys:
|
for key in keys:
|
||||||
LOGGER.debug("verifying jwt with key", source=source.name, key=key.get("kid"))
|
LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid"))
|
||||||
try:
|
try:
|
||||||
parsed_key = PyJWK.from_dict(key)
|
parsed_key = PyJWK.from_dict(key)
|
||||||
token = decode(
|
token = decode(
|
||||||
|
@ -320,12 +322,14 @@ class TokenParams:
|
||||||
# AttributeError is raised when the configured JWK is a private key
|
# AttributeError is raised when the configured JWK is a private key
|
||||||
# and not a public key
|
# and not a public key
|
||||||
except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
|
except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
|
||||||
LOGGER.warning("failed to validate jwt", exc=exc)
|
LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug)
|
||||||
|
|
||||||
if not token:
|
if not token:
|
||||||
LOGGER.warning("No token could be verified")
|
LOGGER.warning("No token could be verified")
|
||||||
raise TokenError("invalid_grant")
|
raise TokenError("invalid_grant")
|
||||||
|
|
||||||
|
LOGGER.debug("successfully verified jwt with source", source=source.slug)
|
||||||
|
|
||||||
if "exp" in token:
|
if "exp" in token:
|
||||||
exp = datetime.fromtimestamp(token["exp"])
|
exp = datetime.fromtimestamp(token["exp"])
|
||||||
# Non-timezone aware check since we assume `exp` is in UTC
|
# Non-timezone aware check since we assume `exp` is in UTC
|
||||||
|
|
Reference in a new issue