sources/oauth: fix oidc well-known parsing (#7248)

2023-10-20 20:37:52 +02:00 · 2023-10-20 20:37:52 +02:00 · 7e213f3ca6
parent cc781cad00
commit 7e213f3ca6
3 changed files with 8 additions and 10 deletions
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -71,15 +71,12 @@ class OAuthSourceSerializer(SourceSerializer):
                text = exc.response.text if exc.response else str(exc)
                raise ValidationError({"oidc_well_known_url": text})
            config = well_known_config.json()
-            try:
-                attrs["authorization_url"] = config["authorization_endpoint"]
-                attrs["access_token_url"] = config["token_endpoint"]
-                attrs["profile_url"] = config["userinfo_endpoint"]
-                inferred_oidc_jwks_url = config["jwks_uri"]
-            except (IndexError, KeyError) as exc:
-                raise ValidationError(
-                    {"oidc_well_known_url": f"Invalid well-known configuration: {exc}"}
-                )
+            if "issuer" not in config:
+                raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
+            attrs["authorization_url"] = config.get("authorization_endpoint", "")
+            attrs["access_token_url"] = config.get("token_endpoint", "")
+            attrs["profile_url"] = config.get("userinfo_endpoint", "")
+            inferred_oidc_jwks_url = config.get("jwks_uri", "")

        # Prefer user-entered URL to inferred URL to default URL
        jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url
--- a/authentik/sources/oauth/tasks.py
+++ b/authentik/sources/oauth/tasks.py
@ -38,7 +38,7 @@ def update_well_known_jwks(self: MonitoredTask):
            for source_attr, config_key in source_attr_key:
                # Check if we're actually changing anything to only
                # save when something has changed
-                if getattr(source, source_attr) != config[config_key]:
+                if getattr(source, source_attr, "") != config[config_key]:
                    dirty = True
                setattr(source, source_attr, config[config_key])
        except (IndexError, KeyError) as exc:
--- a/authentik/sources/oauth/tests/test_views.py
+++ b/authentik/sources/oauth/tests/test_views.py
@ -50,6 +50,7 @@ class TestOAuthSource(TestCase):
    def test_api_validate_openid_connect(self):
        """Test API validation (with OIDC endpoints)"""
        openid_config = {
+            "issuer": "foo",
            "authorization_endpoint": "http://mock/oauth/authorize",
            "token_endpoint": "http://mock/oauth/token",
            "userinfo_endpoint": "http://mock/oauth/userinfo",