providers/oauth2: add password grant support (treated as client_credentials)
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
4210f692ff
commit
8689444954
|
@ -1,8 +1,10 @@
|
||||||
"""OAuth/OpenID Constants"""
|
"""OAuth/OpenID Constants"""
|
||||||
|
|
||||||
GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
|
GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
|
||||||
|
GRANT_TYPE_IMPLICIT = "implicit"
|
||||||
GRANT_TYPE_REFRESH_TOKEN = "refresh_token" # nosec
|
GRANT_TYPE_REFRESH_TOKEN = "refresh_token" # nosec
|
||||||
GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
|
GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
|
||||||
|
GRANT_TYPE_PASSWORD = "password" # nosec
|
||||||
|
|
||||||
CLIENT_ASSERTION_TYPE = "client_assertion_type"
|
CLIENT_ASSERTION_TYPE = "client_assertion_type"
|
||||||
CLIENT_ASSERTION = "client_assertion"
|
CLIENT_ASSERTION = "client_assertion"
|
||||||
|
|
|
@ -11,15 +11,12 @@ from authentik.providers.oauth2.constants import (
|
||||||
ACR_AUTHENTIK_DEFAULT,
|
ACR_AUTHENTIK_DEFAULT,
|
||||||
GRANT_TYPE_AUTHORIZATION_CODE,
|
GRANT_TYPE_AUTHORIZATION_CODE,
|
||||||
GRANT_TYPE_CLIENT_CREDENTIALS,
|
GRANT_TYPE_CLIENT_CREDENTIALS,
|
||||||
|
GRANT_TYPE_IMPLICIT,
|
||||||
|
GRANT_TYPE_PASSWORD,
|
||||||
GRANT_TYPE_REFRESH_TOKEN,
|
GRANT_TYPE_REFRESH_TOKEN,
|
||||||
SCOPE_OPENID,
|
SCOPE_OPENID,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.models import (
|
from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping
|
||||||
GrantTypes,
|
|
||||||
OAuth2Provider,
|
|
||||||
ResponseTypes,
|
|
||||||
ScopeMapping,
|
|
||||||
)
|
|
||||||
from authentik.providers.oauth2.utils import cors_allow
|
from authentik.providers.oauth2.utils import cors_allow
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
@ -78,8 +75,9 @@ class ProviderInfoView(View):
|
||||||
"grant_types_supported": [
|
"grant_types_supported": [
|
||||||
GRANT_TYPE_AUTHORIZATION_CODE,
|
GRANT_TYPE_AUTHORIZATION_CODE,
|
||||||
GRANT_TYPE_REFRESH_TOKEN,
|
GRANT_TYPE_REFRESH_TOKEN,
|
||||||
GrantTypes.IMPLICIT,
|
GRANT_TYPE_IMPLICIT,
|
||||||
GRANT_TYPE_CLIENT_CREDENTIALS,
|
GRANT_TYPE_CLIENT_CREDENTIALS,
|
||||||
|
GRANT_TYPE_PASSWORD,
|
||||||
],
|
],
|
||||||
"id_token_signing_alg_values_supported": [supported_alg],
|
"id_token_signing_alg_values_supported": [supported_alg],
|
||||||
# See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
# See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
||||||
|
|
|
@ -28,6 +28,7 @@ from authentik.providers.oauth2.constants import (
|
||||||
CLIENT_ASSERTION_TYPE_JWT,
|
CLIENT_ASSERTION_TYPE_JWT,
|
||||||
GRANT_TYPE_AUTHORIZATION_CODE,
|
GRANT_TYPE_AUTHORIZATION_CODE,
|
||||||
GRANT_TYPE_CLIENT_CREDENTIALS,
|
GRANT_TYPE_CLIENT_CREDENTIALS,
|
||||||
|
GRANT_TYPE_PASSWORD,
|
||||||
GRANT_TYPE_REFRESH_TOKEN,
|
GRANT_TYPE_REFRESH_TOKEN,
|
||||||
)
|
)
|
||||||
from authentik.providers.oauth2.errors import TokenError, UserAuthError
|
from authentik.providers.oauth2.errors import TokenError, UserAuthError
|
||||||
|
@ -108,7 +109,7 @@ class TokenParams:
|
||||||
self.__post_init_code(raw_code)
|
self.__post_init_code(raw_code)
|
||||||
elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
|
elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
|
||||||
self.__post_init_refresh(raw_token, request)
|
self.__post_init_refresh(raw_token, request)
|
||||||
elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
|
elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
|
||||||
self.__post_init_client_credentials(request)
|
self.__post_init_client_credentials(request)
|
||||||
else:
|
else:
|
||||||
LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
|
LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
|
||||||
|
|
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
|
Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
|
||||||
|
|
||||||
|
Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant.
|
||||||
|
|
||||||
### Static authentication
|
### Static authentication
|
||||||
|
|
||||||
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
|
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
|
||||||
|
|
Reference in a new issue