diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 6e77e2146..e61f45018 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -119,6 +119,7 @@ class OAuthAuthorizationParams: grant_type, ) + max_age = query_dict.get("max_age") return OAuthAuthorizationParams( client_id=query_dict.get("client_id", ""), redirect_uri=query_dict.get("redirect_uri", ""), @@ -130,12 +131,11 @@ class OAuthAuthorizationParams: prompt=ALLOWED_PROMPT_PARAMS.intersection( set(query_dict.get("prompt", "").split()) ), - max_age=query_dict.get("max_age"), + max_age=int(max_age) if max_age else None, code_challenge=query_dict.get("code_challenge"), code_challenge_method=query_dict.get("code_challenge_method"), ) - # pylint: disable=too-many-branches def __post_init__(self): try: self.provider: OAuth2Provider = OAuth2Provider.objects.get( @@ -190,10 +190,6 @@ class OAuthAuthorizationParams: self.redirect_uri, "invalid_request", self.grant_type ) - # max_age directly from the Querystring will be a string - if self.max_age: - self.max_age = int(self.max_age) - def create_code(self, request: HttpRequest) -> AuthorizationCode: """Create an AuthorizationCode object for the request""" code = AuthorizationCode() diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index 28c983374..b30245c0f 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -60,6 +60,11 @@ class ProviderInfoView(View): # We only advertise the 'openid' scope, as the rest vary depending on application SCOPE_OPENID, ], + # https://openid.net/specs/openid-connect-core-1_0.html#RequestObject + "request_parameter_supported": False, + # Because claims are dynamic and per-application, the only fixed Claim is "sub" + "claims_supported": ["sub"], + "claims_parameter_supported": False, } # pylint: disable=unused-argument