providers/oauth2: use guardian anonymous user to get claims for provider info

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 19:53:43 +01:00 · 2023-01-14 19:53:43 +01:00 · 67d1f06c91
parent d37de6bc00
commit 67d1f06c91
2 changed files with 10 additions and 6 deletions
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -5,7 +5,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.shortcuts import get_object_or_404, reverse
 from django.views import View
 from structlog.stdlib import get_logger
-
+from guardian.shortcuts import get_anonymous_user
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Application
 from authentik.providers.oauth2.constants import (
@ -130,7 +130,7 @@ class ProviderInfoView(View):
            value = None
            try:
                value = scope.evaluate(
-                    user=self.request.user,
+                    user=get_anonymous_user(),
                    request=self.request,
                    provider=provider,
                )
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -112,7 +112,9 @@ class TokenParams:
            engine.build()
            result = engine.result
            if not result.passing:
-                LOGGER.info("User not authenticated for application", user=self.user, app=app)
+                LOGGER.info(
+                    "User not authenticated for application", user=self.user, app_slug=app.slug
+                )
                raise TokenError("invalid_grant")

    def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
@ -303,10 +305,10 @@ class TokenParams:
        source: Optional[OAuthSource] = None
        parsed_key: Optional[PyJWK] = None
        for source in self.provider.jwks_sources.all():
-            LOGGER.debug("verifying jwt with source", source=source.name)
+            LOGGER.debug("verifying jwt with source", source=source.slug)
            keys = source.oidc_jwks.get("keys", [])
            for key in keys:
-                LOGGER.debug("verifying jwt with key", source=source.name, key=key.get("kid"))
+                LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid"))
                try:
                    parsed_key = PyJWK.from_dict(key)
                    token = decode(
@ -320,12 +322,14 @@ class TokenParams:
                # AttributeError is raised when the configured JWK is a private key
                # and not a public key
                except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
-                    LOGGER.warning("failed to validate jwt", exc=exc)
+                    LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug)

        if not token:
            LOGGER.warning("No token could be verified")
            raise TokenError("invalid_grant")

+        LOGGER.debug("successfully verified jwt with source", source=source.slug)
+
        if "exp" in token:
            exp = datetime.fromtimestamp(token["exp"])
            # Non-timezone aware check since we assume `exp` is in UTC