providers/oauth2: add password grant support (treated as client_credentials)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-03-31 18:02:17 +02:00
parent 4210f692ff
commit 8689444954
4 changed files with 11 additions and 8 deletions

View file

@ -1,8 +1,10 @@
"""OAuth/OpenID Constants""" """OAuth/OpenID Constants"""
GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code" GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
GRANT_TYPE_IMPLICIT = "implicit"
GRANT_TYPE_REFRESH_TOKEN = "refresh_token" # nosec GRANT_TYPE_REFRESH_TOKEN = "refresh_token" # nosec
GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials" GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
GRANT_TYPE_PASSWORD = "password" # nosec
CLIENT_ASSERTION_TYPE = "client_assertion_type" CLIENT_ASSERTION_TYPE = "client_assertion_type"
CLIENT_ASSERTION = "client_assertion" CLIENT_ASSERTION = "client_assertion"

View file

@ -11,15 +11,12 @@ from authentik.providers.oauth2.constants import (
ACR_AUTHENTIK_DEFAULT, ACR_AUTHENTIK_DEFAULT,
GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_AUTHORIZATION_CODE,
GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_CLIENT_CREDENTIALS,
GRANT_TYPE_IMPLICIT,
GRANT_TYPE_PASSWORD,
GRANT_TYPE_REFRESH_TOKEN, GRANT_TYPE_REFRESH_TOKEN,
SCOPE_OPENID, SCOPE_OPENID,
) )
from authentik.providers.oauth2.models import ( from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping
GrantTypes,
OAuth2Provider,
ResponseTypes,
ScopeMapping,
)
from authentik.providers.oauth2.utils import cors_allow from authentik.providers.oauth2.utils import cors_allow
LOGGER = get_logger() LOGGER = get_logger()
@ -78,8 +75,9 @@ class ProviderInfoView(View):
"grant_types_supported": [ "grant_types_supported": [
GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_AUTHORIZATION_CODE,
GRANT_TYPE_REFRESH_TOKEN, GRANT_TYPE_REFRESH_TOKEN,
GrantTypes.IMPLICIT, GRANT_TYPE_IMPLICIT,
GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_CLIENT_CREDENTIALS,
GRANT_TYPE_PASSWORD,
], ],
"id_token_signing_alg_values_supported": [supported_alg], "id_token_signing_alg_values_supported": [supported_alg],
# See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

View file

@ -28,6 +28,7 @@ from authentik.providers.oauth2.constants import (
CLIENT_ASSERTION_TYPE_JWT, CLIENT_ASSERTION_TYPE_JWT,
GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_AUTHORIZATION_CODE,
GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_CLIENT_CREDENTIALS,
GRANT_TYPE_PASSWORD,
GRANT_TYPE_REFRESH_TOKEN, GRANT_TYPE_REFRESH_TOKEN,
) )
from authentik.providers.oauth2.errors import TokenError, UserAuthError from authentik.providers.oauth2.errors import TokenError, UserAuthError
@ -108,7 +109,7 @@ class TokenParams:
self.__post_init_code(raw_code) self.__post_init_code(raw_code)
elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN: elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
self.__post_init_refresh(raw_token, request) self.__post_init_refresh(raw_token, request)
elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS: elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
self.__post_init_client_credentials(request) self.__post_init_client_credentials(request)
else: else:
LOGGER.warning("Invalid grant type", grant_type=self.grant_type) LOGGER.warning("Invalid grant type", grant_type=self.grant_type)

View file

@ -2,6 +2,8 @@
Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time. Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant.
### Static authentication ### Static authentication
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function. Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.