providers/oauth2: remove deprecated verification_keys (#3071)

remove verification_keys Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-11 19:48:07 +02:00 · 2022-06-11 19:48:07 +02:00 · 6821402fef
parent 8dbb0bd2c6
commit 6821402fef
16 changed files with 35 additions and 358 deletions
--- a/authentik/providers/oauth2/api/provider.py
+++ b/authentik/providers/oauth2/api/provider.py
@ -34,7 +34,6 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "sub_mode",
            "property_mappings",
            "issuer_mode",
            "verification_keys",
            "jwks_sources",
        ]
--- a/authentik/providers/oauth2/migrations/0012_remove_oauth2provider_verification_keys.py
+++ b/authentik/providers/oauth2/migrations/0012_remove_oauth2provider_verification_keys.py
@ -0,0 +1,17 @@
 # Generated by Django 4.0.5 on 2022-06-04 21:26
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0011_oauth2provider_jwks_sources_and_more"),
    ]
    operations = [
        migrations.RemoveField(
            model_name="oauth2provider",
            name="verification_keys",
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -222,19 +222,6 @@ class OAuth2Provider(Provider):
        ),
    )
    verification_keys = models.ManyToManyField(
        CertificateKeyPair,
        verbose_name=_("Allowed certificates for JWT-based client_credentials"),
        help_text=_(
            (
                "DEPRECATED. JWTs created with the configured "
                "certificates can authenticate with this provider."
            )
        ),
        related_name="oauth2_providers",
        default=None,
        blank=True,
    )
    jwks_sources = models.ManyToManyField(
        OAuthSource,
        verbose_name=_(
--- a/authentik/providers/oauth2/tests/test_token_cc_jwt.py
+++ b/authentik/providers/oauth2/tests/test_token_cc_jwt.py
@ -1,203 +0,0 @@
 """Test token view"""
 from datetime import datetime, timedelta
 from json import loads
 from django.test import RequestFactory
 from django.urls import reverse
 from jwt import decode
 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.managed.manager import ObjectManager
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.constants import (
    GRANT_TYPE_CLIENT_CREDENTIALS,
    SCOPE_OPENID,
    SCOPE_OPENID_EMAIL,
    SCOPE_OPENID_PROFILE,
 )
 from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
 from authentik.providers.oauth2.tests.utils import OAuthTestCase
 class TestTokenClientCredentialsJWT(OAuthTestCase):
    """Test token (client_credentials, with JWT) view"""
    def setUp(self) -> None:
        super().setUp()
        ObjectManager().run()
        self.factory = RequestFactory()
        self.cert = create_test_cert()
        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
            name="test",
            client_id=generate_id(),
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
            redirect_uris="http://testserver",
            signing_key=self.cert,
        )
        self.provider.verification_keys.set([self.cert])
        self.provider.property_mappings.set(ScopeMapping.objects.all())
        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
    def test_invalid_type(self):
        """test invalid type"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "foo",
                "client_assertion": "foo.bar",
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_jwt(self):
        """test invalid JWT"""
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": "foo.bar",
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_signature(self):
        """test invalid JWT"""
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token + "foo",
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_expired(self):
        """test invalid JWT"""
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() - timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_no_app(self):
        """test invalid JWT"""
        self.app.provider = None
        self.app.save()
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_invalid_access_denied(self):
        """test invalid JWT"""
        group = Group.objects.create(name="foo")
        PolicyBinding.objects.create(
            group=group,
            target=self.app,
            order=0,
        )
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 400)
        body = loads(response.content.decode())
        self.assertEqual(body["error"], "invalid_grant")
    def test_successful(self):
        """test successful"""
        token = self.provider.encode(
            {
                "sub": "foo",
                "exp": datetime.now() + timedelta(hours=2),
            }
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            {
                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
                "client_id": self.provider.client_id,
                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
                "client_assertion": token,
            },
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(body["token_type"], "bearer")
        _, alg = self.provider.get_jwt_key()
        jwt = decode(
            body["access_token"],
            key=self.provider.signing_key.public_key,
            algorithms=[alg],
            audience=self.provider.client_id,
        )
        self.assertEqual(
            jwt["given_name"], "Autogenerated user from application test (client credentials JWT)"
        )
        self.assertEqual(jwt["preferred_username"], "test-foo")
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -21,7 +21,6 @@ from authentik.core.models import (
    TokenIntents,
    User,
 )
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
@ -38,7 +37,6 @@ from authentik.providers.oauth2.errors import TokenError, UserAuthError
 from authentik.providers.oauth2.models import (
    AuthorizationCode,
    ClientTypes,
    JWTAlgorithms,
    OAuth2Provider,
    RefreshToken,
 )
@ -292,26 +290,6 @@ class TokenParams:
        token = None
        # TODO: Remove in 2022.7, deprecated field `verification_keys``
        for cert in self.provider.verification_keys.all():
            LOGGER.debug("verifying jwt with key", key=cert.name)
            cert: CertificateKeyPair
            public_key = cert.certificate.public_key()
            if cert.private_key:
                public_key = cert.private_key.public_key()
            try:
                token = decode(
                    assertion,
                    public_key,
                    algorithms=[JWTAlgorithms.RS256, JWTAlgorithms.ES256],
                    options={
                        "verify_aud": False,
                    },
                )
            except (PyJWTError, ValueError, TypeError) as exc:
                LOGGER.warning("failed to validate jwt", exc=exc)
        # TODO: End remove block
        source: Optional[OAuthSource] = None
        parsed_key: Optional[PyJWK] = None
        for source in self.provider.jwks_sources.all():
--- a/schema.yml
+++ b/schema.yml
@ -23237,15 +23237,6 @@ components:
          allOf:
          - $ref: '#/components/schemas/IssuerModeEnum'
          description: Configure how the issuer field of the ID Token should be filled.
        verification_keys:
          type: array
          items:
            type: string
            format: uuid
            title: Allowed certificates for JWT-based client_credentials
          title: Allowed certificates for JWT-based client_credentials
          description: DEPRECATED. JWTs created with the configured certificates can
            authenticate with this provider.
        jwks_sources:
          type: array
          items:
@ -23325,15 +23316,6 @@ components:
          allOf:
          - $ref: '#/components/schemas/IssuerModeEnum'
          description: Configure how the issuer field of the ID Token should be filled.
        verification_keys:
          type: array
          items:
            type: string
            format: uuid
            title: Allowed certificates for JWT-based client_credentials
          title: Allowed certificates for JWT-based client_credentials
          description: DEPRECATED. JWTs created with the configured certificates can
            authenticate with this provider.
        jwks_sources:
          type: array
          items:
@ -27711,15 +27693,6 @@ components:
          allOf:
          - $ref: '#/components/schemas/IssuerModeEnum'
          description: Configure how the issuer field of the ID Token should be filled.
        verification_keys:
          type: array
          items:
            type: string
            format: uuid
            title: Allowed certificates for JWT-based client_credentials
          title: Allowed certificates for JWT-based client_credentials
          description: DEPRECATED. JWTs created with the configured certificates can
            authenticate with this provider.
        jwks_sources:
          type: array
          items:
--- a/web/src/locales/de.po
+++ b/web/src/locales/de.po
@ -1552,7 +1552,6 @@ msgstr "{0} löschen"
 msgid "Deny the user access"
 msgstr "Dem Benutzer den Zugang verweigern"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2471,7 +2470,6 @@ msgstr "Interne Konten ausblenden"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2753,7 +2751,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "JWT Algorithmus"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@ -2937,7 +2934,6 @@ msgstr "Wird geladen"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6308,8 +6304,8 @@ msgid "Verification Certificate"
 msgstr "Zertifikat zur Überprüfung"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr ""
+#~ msgstr ""
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@ -1570,7 +1570,6 @@ msgstr "Delete {0}"
 msgid "Deny the user access"
 msgstr "Deny the user access"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
@ -2510,7 +2509,6 @@ msgstr "Hide service-accounts"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2803,7 +2801,6 @@ msgstr "JWKS URL"
 #~ msgid "JWT Algorithm"
 #~ msgstr "JWT Algorithm"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr "JWTs signed by certificates configured here can be used to authenticate to the provider."
@ -2989,7 +2986,6 @@ msgstr "Loading"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6434,8 +6430,8 @@ msgid "Verification Certificate"
 msgstr "Verification Certificate"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr "Verification certificates"
+#~ msgstr "Verification certificates"
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/es.po
+++ b/web/src/locales/es.po
@ -1543,7 +1543,6 @@ msgstr "Eliminar {0}"
 msgid "Deny the user access"
 msgstr "Denegar el acceso al usuario"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2462,7 +2461,6 @@ msgstr "Ocultar cuentas de servicio"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2746,7 +2744,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "algoritmo JWT"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@ -2930,7 +2927,6 @@ msgstr "Cargando"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6302,8 +6298,8 @@ msgid "Verification Certificate"
 msgstr "Certificado de verificación"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr ""
+#~ msgstr ""
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@ -1555,7 +1555,6 @@ msgstr "Supprimer {0}"
 msgid "Deny the user access"
 msgstr "Refuser l'accès à l'utilisateu"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2488,7 +2487,6 @@ msgstr "Cacher les comptes de service"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2776,7 +2774,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "Algorithme JWT"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@ -2961,7 +2958,6 @@ msgstr "Chargement en cours"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6363,8 +6359,8 @@ msgid "Verification Certificate"
 msgstr "Certificat de validation"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr ""
+#~ msgstr ""
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/pl.po
+++ b/web/src/locales/pl.po
@ -1540,7 +1540,6 @@ msgstr "Usuń {0}"
 msgid "Deny the user access"
 msgstr "Odmów użytkownikowi dostępu"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2459,7 +2458,6 @@ msgstr "Ukryj konta serwisowe"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2743,7 +2741,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "Algorytm JWT"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@ -2927,7 +2924,6 @@ msgstr "Ładowanie"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6299,8 +6295,8 @@ msgid "Verification Certificate"
 msgstr "Certyfikat weryfikacji"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr ""
+#~ msgstr ""
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@ -1556,7 +1556,6 @@ msgstr ""
 msgid "Deny the user access"
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2496,7 +2495,6 @@ msgstr ""
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2785,7 +2783,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@ -2971,7 +2968,6 @@ msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6404,8 +6400,8 @@ msgid "Verification Certificate"
 msgstr ""
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr ""
+#~ msgstr ""
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/tr.po
+++ b/web/src/locales/tr.po
@ -1543,7 +1543,6 @@ msgstr "{0} Sil"
 msgid "Deny the user access"
 msgstr "Kullanıcı erişimini engelle"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2462,7 +2461,6 @@ msgstr "Hizmet hesaplarını gizle"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2747,7 +2745,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "JWT Algoritması"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@ -2931,7 +2928,6 @@ msgstr "Yükleniyor"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6304,8 +6300,8 @@ msgid "Verification Certificate"
 msgstr "Doğrulama Sertifikası"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr ""
+#~ msgstr ""
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/zh-Hant.po
+++ b/web/src/locales/zh-Hant.po
@ -1540,7 +1540,6 @@ msgstr "删除 {0}"
 msgid "Deny the user access"
 msgstr "拒绝用户访问"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2451,7 +2450,6 @@ msgstr "隐藏服务账户"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2734,7 +2732,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "JWT 算法"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
@ -2917,7 +2914,6 @@ msgstr "正在加载"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6270,8 +6266,8 @@ msgid "Verification Certificate"
 msgstr "验证证书"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr "验证证书"
+#~ msgstr "验证证书"
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/locales/zh_TW.po
+++ b/web/src/locales/zh_TW.po
@ -1540,7 +1540,6 @@ msgstr "删除 {0}"
 msgid "Deny the user access"
 msgstr "拒绝用户访问"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@ -2451,7 +2450,6 @@ msgstr "隐藏服务账户"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@ -2734,7 +2732,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "JWT 算法"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr "此处配置的证书签名的 JWT 可以用于此提供程序的身份验证。"
@ -2917,7 +2914,6 @@ msgstr "正在加载"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@ -6270,8 +6266,8 @@ msgid "Verification Certificate"
 msgstr "验证证书"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
+#~ msgid "Verification certificates"
-msgstr "验证证书"
+#~ msgstr "验证证书"
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"
--- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
@ -405,44 +405,6 @@ ${this.instance?.redirectUris}</textarea
                            ${t`Hold control/command to select multiple items.`}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${t`Verification certificates`}
                        name="verificationKeys"
                    >
                        <select class="pf-c-form-control" multiple>
                            ${until(
                                new CryptoApi(DEFAULT_CONFIG)
                                    .cryptoCertificatekeypairsList({
                                        ordering: "name",
                                    })
                                    .then((keys) => {
                                        return keys.results.map((key) => {
                                            const selected = (
                                                this.instance?.verificationKeys || []
                                            ).some((su) => {
                                                return su == key.pk;
                                            });
                                            return html`<option
                                                value=${key.pk}
                                                ?selected=${selected}
                                            >
                                                ${key.name} (${key.privateKeyType?.toUpperCase()})
                                            </option>`;
                                        });
                                    }),
                                html`<option>${t`Loading...`}</option>`,
                            )}
                        </select>
                        <p class="pf-c-form__helper-text">
                            ${t`Deprecated. Instead of using this field, configure the JWKS data/URL in Sources.`}
                        </p>
                        <p class="pf-c-form__helper-text">
                            ${t`JWTs signed by certificates configured here can be used to authenticate to the provider.`}
                        </p>
                        <p class="pf-c-form__helper-text">
                            ${t`Hold control/command to select multiple items.`}
                        </p>
                    </ak-form-element-horizontal>
                </div>
            </ak-form-group>
        </form>`;