providers/oauth2: fix "auth_time" being based on user.last_login

This commit is contained in:
Jens Langhammer 2020-12-26 17:54:05 +01:00
parent 319104c39b
commit 8dddcf891e
2 changed files with 7 additions and 3 deletions

View file

@ -22,6 +22,7 @@ from rest_framework.serializers import Serializer
from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User
from authentik.crypto.models import CertificateKeyPair
from authentik.events.models import Event, EventAction
from authentik.lib.utils.template import render_to_string
from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
from authentik.providers.oauth2.apps import AuthentikProviderOAuth2Config
@ -482,8 +483,12 @@ class RefreshToken(ExpiringModel, BaseGrantModel):
exp_time = int(
now + timedelta_from_string(self.provider.token_validity).seconds
)
user_auth_time = user.last_login or user.date_joined
auth_time = int(dateformat.format(user_auth_time, "U"))
# Because this function is called after the AUTHORIZE_APPLICATION Event has been created,
# we use the timestamp of that.
auth_event = Event.objects.filter(
action=EventAction.AUTHORIZE_APPLICATION, user=user
).latest("created")
auth_time = int(dateformat.format(auth_event.created, "U"))
token = IDToken(
iss=self.provider.get_issuer(request),

View file

@ -344,7 +344,6 @@ class AuthorizationFlowInitView(PolicyAccessView):
try:
params = OAuthAuthorizationParams.from_request(request)
except OAuth2Error as error:
# pylint: disable=no-member
return bad_request_message(request, error.description, title=error.error)
except OAuth2Provider.DoesNotExist:
raise Http404