providers/oauth2: use guardian anonymous user to get claims for provider info
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
d37de6bc00
commit
67d1f06c91
|
@ -5,7 +5,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
|
|||
from django.shortcuts import get_object_or_404, reverse
|
||||
from django.views import View
|
||||
from structlog.stdlib import get_logger
|
||||
|
||||
from guardian.shortcuts import get_anonymous_user
|
||||
from authentik.core.exceptions import PropertyMappingExpressionException
|
||||
from authentik.core.models import Application
|
||||
from authentik.providers.oauth2.constants import (
|
||||
|
@ -130,7 +130,7 @@ class ProviderInfoView(View):
|
|||
value = None
|
||||
try:
|
||||
value = scope.evaluate(
|
||||
user=self.request.user,
|
||||
user=get_anonymous_user(),
|
||||
request=self.request,
|
||||
provider=provider,
|
||||
)
|
||||
|
|
|
@ -112,7 +112,9 @@ class TokenParams:
|
|||
engine.build()
|
||||
result = engine.result
|
||||
if not result.passing:
|
||||
LOGGER.info("User not authenticated for application", user=self.user, app=app)
|
||||
LOGGER.info(
|
||||
"User not authenticated for application", user=self.user, app_slug=app.slug
|
||||
)
|
||||
raise TokenError("invalid_grant")
|
||||
|
||||
def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
|
||||
|
@ -303,10 +305,10 @@ class TokenParams:
|
|||
source: Optional[OAuthSource] = None
|
||||
parsed_key: Optional[PyJWK] = None
|
||||
for source in self.provider.jwks_sources.all():
|
||||
LOGGER.debug("verifying jwt with source", source=source.name)
|
||||
LOGGER.debug("verifying jwt with source", source=source.slug)
|
||||
keys = source.oidc_jwks.get("keys", [])
|
||||
for key in keys:
|
||||
LOGGER.debug("verifying jwt with key", source=source.name, key=key.get("kid"))
|
||||
LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid"))
|
||||
try:
|
||||
parsed_key = PyJWK.from_dict(key)
|
||||
token = decode(
|
||||
|
@ -320,12 +322,14 @@ class TokenParams:
|
|||
# AttributeError is raised when the configured JWK is a private key
|
||||
# and not a public key
|
||||
except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
|
||||
LOGGER.warning("failed to validate jwt", exc=exc)
|
||||
LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug)
|
||||
|
||||
if not token:
|
||||
LOGGER.warning("No token could be verified")
|
||||
raise TokenError("invalid_grant")
|
||||
|
||||
LOGGER.debug("successfully verified jwt with source", source=source.slug)
|
||||
|
||||
if "exp" in token:
|
||||
exp = datetime.fromtimestamp(token["exp"])
|
||||
# Non-timezone aware check since we assume `exp` is in UTC
|
||||
|
|
Reference in a new issue