From 7e213f3ca6a878c69fa2e2047c8bb6817799c30a Mon Sep 17 00:00:00 2001 From: Jens L Date: Fri, 20 Oct 2023 20:37:52 +0200 Subject: [PATCH] sources/oauth: fix oidc well-known parsing (#7248) --- authentik/sources/oauth/api/source.py | 15 ++++++--------- authentik/sources/oauth/tasks.py | 2 +- authentik/sources/oauth/tests/test_views.py | 1 + 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/authentik/sources/oauth/api/source.py b/authentik/sources/oauth/api/source.py index 62941f863..1a350bd43 100644 --- a/authentik/sources/oauth/api/source.py +++ b/authentik/sources/oauth/api/source.py @@ -71,15 +71,12 @@ class OAuthSourceSerializer(SourceSerializer): text = exc.response.text if exc.response else str(exc) raise ValidationError({"oidc_well_known_url": text}) config = well_known_config.json() - try: - attrs["authorization_url"] = config["authorization_endpoint"] - attrs["access_token_url"] = config["token_endpoint"] - attrs["profile_url"] = config["userinfo_endpoint"] - inferred_oidc_jwks_url = config["jwks_uri"] - except (IndexError, KeyError) as exc: - raise ValidationError( - {"oidc_well_known_url": f"Invalid well-known configuration: {exc}"} - ) + if "issuer" not in config: + raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"}) + attrs["authorization_url"] = config.get("authorization_endpoint", "") + attrs["access_token_url"] = config.get("token_endpoint", "") + attrs["profile_url"] = config.get("userinfo_endpoint", "") + inferred_oidc_jwks_url = config.get("jwks_uri", "") # Prefer user-entered URL to inferred URL to default URL jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url diff --git a/authentik/sources/oauth/tasks.py b/authentik/sources/oauth/tasks.py index 1588117b9..6197df512 100644 --- a/authentik/sources/oauth/tasks.py +++ b/authentik/sources/oauth/tasks.py @@ -38,7 +38,7 @@ def update_well_known_jwks(self: MonitoredTask): for source_attr, config_key in source_attr_key: # Check if we're actually changing anything to only # save when something has changed - if getattr(source, source_attr) != config[config_key]: + if getattr(source, source_attr, "") != config[config_key]: dirty = True setattr(source, source_attr, config[config_key]) except (IndexError, KeyError) as exc: diff --git a/authentik/sources/oauth/tests/test_views.py b/authentik/sources/oauth/tests/test_views.py index 2e1919c17..16e57c057 100644 --- a/authentik/sources/oauth/tests/test_views.py +++ b/authentik/sources/oauth/tests/test_views.py @@ -50,6 +50,7 @@ class TestOAuthSource(TestCase): def test_api_validate_openid_connect(self): """Test API validation (with OIDC endpoints)""" openid_config = { + "issuer": "foo", "authorization_endpoint": "http://mock/oauth/authorize", "token_endpoint": "http://mock/oauth/token", "userinfo_endpoint": "http://mock/oauth/userinfo",