trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-04-18 14:20:50 +02:00
parent 52abd959eb
commit f328b21e89
7 changed files with 170 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
authentik/providers/oauth2/utils.py
View File

@ -3,6 +3,7 @@ import re
from base64 import b64decode
from binascii import Error
from typing import Optional
from urllib.parse import urlparse
from django.http import HttpRequest, HttpResponse, JsonResponse
from django.utils.cache import patch_vary_headers
@ -25,15 +26,34 @@ class TokenResponse(JsonResponse):
self["Pragma"] = "no-cache"
def cors_allow_any(request, response):
"""
Add headers to permit CORS requests from any origin, with or without credentials,
with any headers.
"""
def cors_allow_any(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
"""Add headers to permit CORS requests from any origin, with or without credentials,
with any headers."""
origin = request.META.get("HTTP_ORIGIN")
if not origin:
return response
# OPTIONS requests don't have an authorization header -> hence
# we can't extract the provider this request is for
# so for options requests we allow the calling origin without checking
allowed = request.method == "OPTIONS"
received_origin = urlparse(origin)
for allowed_origin in allowed_origins:
url = urlparse(allowed_origin)
if (
received_origin.scheme == url.scheme
and received_origin.hostname == url.hostname
and received_origin.port == url.port
):
allowed = True
if not allowed:
LOGGER.warning(
"CORS: Origin is not an allowed origin",
requested=origin,
allowed=allowed_origins,
)
return response
# From the CORS spec: The string "*" cannot be used for a resource that supports credentials.
response["Access-Control-Allow-Origin"] = origin
patch_vary_headers(response, ["Origin"])

21
authentik/providers/oauth2/views/provider.py
View File

@ -30,6 +30,8 @@ PLAN_CONTEXT_SCOPES = "scopes"
class ProviderInfoView(View):
"""OpenID-compliant Provider Info"""
provider: OAuth2Provider
def get_info(self, provider: OAuth2Provider) -> dict[str, Any]:
"""Get dictionary for OpenID Connect information"""
scopes = list(
@ -95,19 +97,20 @@ class ProviderInfoView(View):
}
# pylint: disable=unused-argument
def get(
self, request: HttpRequest, application_slug: str, *args, **kwargs
) -> HttpResponse:
def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
"""OpenID-compliant Provider Info"""
return JsonResponse(
self.get_info(self.provider), json_dumps_params={"indent": 2}
)
def dispatch(
self, request: HttpRequest, application_slug: str, *args: Any, **kwargs: Any
) -> HttpResponse:
# Since this view only supports get, we can statically set the CORS headers
application = get_object_or_404(Application, slug=application_slug)
provider: OAuth2Provider = get_object_or_404(
self.provider: OAuth2Provider = get_object_or_404(
OAuth2Provider, pk=application.provider_id
)
return JsonResponse(self.get_info(provider), json_dumps_params={"indent": 2})
def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
# Since this view only supports get, we can statically set the CORS headers
response = super().dispatch(request, *args, **kwargs)
cors_allow_any(request, response)
cors_allow_any(request, response, *self.provider.redirect_uris.split("\n"))
return response

24
authentik/providers/oauth2/views/userinfo.py
View File

@ -1,7 +1,8 @@
"""authentik OAuth2 OpenID Userinfo views"""
from typing import Any
from typing import Any, Optional
from django.http import HttpRequest, HttpResponse
from django.http.response import HttpResponseBadRequest
from django.utils.translation import gettext_lazy as _
from django.views import View
from structlog.stdlib import get_logger
@ -22,6 +23,8 @@ class UserInfoView(View):
"""Create a dictionary with all the requested claims about the End-User.
See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse"""
token: Optional[RefreshToken]
def get_scope_descriptions(self, scopes: list[str]) -> list[dict[str, str]]:
"""Get a list of all Scopes's descriptions"""
scope_descriptions = []
@ -79,16 +82,25 @@ class UserInfoView(View):
final_claims.update(value)
return final_claims
def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
self.token = kwargs.get("token", None)
response = super().dispatch(request, *args, **kwargs)
allowed_origins = []
if self.token:
allowed_origins = self.token.provider.redirect_uris.split("\n")
cors_allow_any(self.request, response, *allowed_origins)
return response
def options(self, request: HttpRequest) -> HttpResponse:
return cors_allow_any(self.request, TokenResponse({}))
return TokenResponse({})
def get(self, request: HttpRequest, **kwargs) -> HttpResponse:
"""Handle GET Requests for UserInfo"""
token: RefreshToken = kwargs["token"]
claims = self.get_claims(token)
claims["sub"] = token.id_token.sub
if not self.token:
return HttpResponseBadRequest()
claims = self.get_claims(self.token)
claims["sub"] = self.token.id_token.sub
response = TokenResponse(claims)
cors_allow_any(self.request, response)
return response
def post(self, request: HttpRequest, **kwargs) -> HttpResponse:

2
authentik/providers/proxy/managed.py
View File

@ -21,7 +21,7 @@ class ProxyScopeMappingManager(ObjectManager):
EnsureExists(
ScopeMapping,
"goauthentik.io/providers/proxy/scope-proxy",
name="authentik default OAuth Mapping: proxy outpost",
name="authentik default OAuth Mapping: Proxy outpost",
scope_name=SCOPE_AK_PROXY,
expression=SCOPE_AK_PROXY_EXPRESSION,
),

103
web/src/locales/en.po
View File

@ -105,7 +105,7 @@ msgstr "Additional group DN, prepended to the Base DN."
msgid "Additional user DN, prepended to the Base DN."
msgstr "Additional user DN, prepended to the Base DN."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:128
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:131
#: src/pages/providers/proxy/ProxyProviderForm.ts:128
#: src/pages/providers/saml/SAMLProviderForm.ts:117
#: src/pages/sources/saml/SAMLSourceForm.ts:134
@ -125,7 +125,7 @@ msgstr "Affected model:"
msgid "Alert"
msgstr "Alert"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
msgid "Algorithm used to sign the JWT Tokens."
msgstr "Algorithm used to sign the JWT Tokens."
@ -220,19 +220,19 @@ msgstr "Are you sure you want to delete {0} {objName} ?"
msgid "Are you sure you want to update {0} \"{1}\"?"
msgstr "Are you sure you want to update {0} \"{1}\"?"
#: src/pages/providers/saml/SAMLProviderForm.ts:202
#: src/pages/providers/saml/SAMLProviderForm.ts:208
msgid "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
msgstr "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
#: src/pages/providers/saml/SAMLProviderForm.ts:191
#: src/pages/providers/saml/SAMLProviderForm.ts:197
msgid "Assertion valid not before"
msgstr "Assertion valid not before"
#: src/pages/providers/saml/SAMLProviderForm.ts:195
#: src/pages/providers/saml/SAMLProviderForm.ts:201
msgid "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
msgstr "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
#: src/pages/providers/saml/SAMLProviderForm.ts:198
#: src/pages/providers/saml/SAMLProviderForm.ts:204
msgid "Assertion valid not on or after"
msgstr "Assertion valid not on or after"
@ -342,19 +342,19 @@ msgstr "Backup status"
msgid "Base DN"
msgstr "Base DN"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:204
msgid "Based on the Hashed User ID"
msgstr "Based on the Hashed User ID"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:201
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:210
msgid "Based on the User's Email. This is recommended over the UPN method."
msgstr "Based on the User's Email. This is recommended over the UPN method."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:204
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
msgstr "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:207
msgid "Based on the username"
msgstr "Based on the username"
@ -592,11 +592,11 @@ msgstr "Configuration flow"
msgid "Configure WebAuthn"
msgstr "Configure WebAuthn"
#: src/pages/providers/saml/SAMLProviderForm.ts:187
#: src/pages/providers/saml/SAMLProviderForm.ts:193
msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
msgstr "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:233
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:242
msgid "Configure how the issuer field of the ID Token should be filled."
msgstr "Configure how the issuer field of the ID Token should be filled."
@ -604,7 +604,7 @@ msgstr "Configure how the issuer field of the ID Token should be filled."
msgid "Configure settings relevant to your user profile."
msgstr "Configure settings relevant to your user profile."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:208
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:217
msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
msgstr "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
@ -846,7 +846,7 @@ msgstr "Creation Date"
msgid "Customisation"
msgstr "Customisation"
#: src/pages/providers/saml/SAMLProviderForm.ts:249
#: src/pages/providers/saml/SAMLProviderForm.ts:255
#: src/pages/sources/saml/SAMLSourceForm.ts:212
msgid "DSA-SHA1"
msgstr "DSA-SHA1"
@ -967,7 +967,7 @@ msgstr "Device classes which can be used to authenticate."
msgid "Device name"
msgstr "Device name"
#: src/pages/providers/saml/SAMLProviderForm.ts:213
#: src/pages/providers/saml/SAMLProviderForm.ts:219
#: src/pages/sources/saml/SAMLSourceForm.ts:176
msgid "Digest algorithm"
msgstr "Digest algorithm"
@ -1010,7 +1010,7 @@ msgstr "Download"
msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
msgstr "Dummy stage used for testing. Shows a simple continue button and always passes."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:235
msgid "Each provider has a different issuer, based on the application slug."
msgstr "Each provider has a different issuer, based on the application slug."
@ -1451,7 +1451,7 @@ msgstr "Group {0}"
msgid "Groups"
msgstr "Groups"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:146
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
msgid "HS256 (Symmetric Encryption)"
msgstr "HS256 (Symmetric Encryption)"
@ -1478,8 +1478,8 @@ msgstr "Hide managed mappings"
#: src/pages/events/RuleForm.ts:93
#: src/pages/groups/GroupForm.ts:132
#: src/pages/outposts/OutpostForm.ts:98
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:169
#: src/pages/providers/saml/SAMLProviderForm.ts:171
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
#: src/pages/providers/saml/SAMLProviderForm.ts:177
#: src/pages/sources/ldap/LDAPSourceForm.ts:167
#: src/pages/sources/ldap/LDAPSourceForm.ts:193
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:114
@ -1552,11 +1552,11 @@ msgstr "Import certificates of external providers or create certificates to sign
msgid "In case you can't access any other method."
msgstr "In case you can't access any other method."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:218
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:227
msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
msgstr "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:215
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:224
msgid "Include claims in id_token"
msgstr "Include claims in id_token"
@ -1600,15 +1600,15 @@ msgstr "Is superuser"
msgid "Issuer"
msgstr "Issuer"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:221
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:230
msgid "Issuer mode"
msgstr "Issuer mode"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:138
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
msgid "JWT Algorithm"
msgstr "JWT Algorithm"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:187
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:196
msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
msgstr "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
@ -1706,15 +1706,15 @@ msgstr "Loading"
#: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
#: src/pages/property-mappings/PropertyMappingTestForm.ts:59
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:166
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:194
#: src/pages/providers/proxy/ProxyProviderForm.ts:92
#: src/pages/providers/proxy/ProxyProviderForm.ts:143
#: src/pages/providers/saml/SAMLProviderForm.ts:71
#: src/pages/providers/saml/SAMLProviderForm.ts:133
#: src/pages/providers/saml/SAMLProviderForm.ts:149
#: src/pages/providers/saml/SAMLProviderForm.ts:169
#: src/pages/providers/saml/SAMLProviderForm.ts:185
#: src/pages/providers/saml/SAMLProviderForm.ts:175
#: src/pages/providers/saml/SAMLProviderForm.ts:191
#: src/pages/providers/saml/SAMLProviderImportForm.ts:55
#: src/pages/sources/ldap/LDAPSourceForm.ts:164
#: src/pages/sources/ldap/LDAPSourceForm.ts:190
@ -1924,7 +1924,7 @@ msgstr "Name of the form field, also used to store the value."
msgid "NameID Policy"
msgstr "NameID Policy"
#: src/pages/providers/saml/SAMLProviderForm.ts:174
#: src/pages/providers/saml/SAMLProviderForm.ts:180
msgid "NameID Property Mapping"
msgstr "NameID Property Mapping"
@ -2434,30 +2434,30 @@ msgstr "Public key, acquired from https://www.google.com/recaptcha/intro/v3.html
msgid "Publisher"
msgstr "Publisher"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:143
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:146
msgid "RS256 (Asymmetric Encryption)"
msgstr "RS256 (Asymmetric Encryption)"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:172
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:181
msgid "RSA Key"
msgstr "RSA Key"
#: src/pages/providers/saml/SAMLProviderForm.ts:237
#: src/pages/providers/saml/SAMLProviderForm.ts:243
#: src/pages/sources/saml/SAMLSourceForm.ts:200
msgid "RSA-SHA1"
msgstr "RSA-SHA1"
#: src/pages/providers/saml/SAMLProviderForm.ts:240
#: src/pages/providers/saml/SAMLProviderForm.ts:246
#: src/pages/sources/saml/SAMLSourceForm.ts:203
msgid "RSA-SHA256"
msgstr "RSA-SHA256"
#: src/pages/providers/saml/SAMLProviderForm.ts:243
#: src/pages/providers/saml/SAMLProviderForm.ts:249
#: src/pages/sources/saml/SAMLSourceForm.ts:206
msgid "RSA-SHA384"
msgstr "RSA-SHA384"
#: src/pages/providers/saml/SAMLProviderForm.ts:246
#: src/pages/providers/saml/SAMLProviderForm.ts:252
#: src/pages/sources/saml/SAMLSourceForm.ts:209
msgid "RSA-SHA512"
msgstr "RSA-SHA512"
@ -2482,11 +2482,14 @@ msgstr "Recovery keys"
msgid "Redirect"
msgstr "Redirect"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:119
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:107
msgid "Redirect URIs"
msgstr "Redirect URIs"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:119
msgid "Redirect URIs/Origins"
msgstr "Redirect URIs/Origins"
#: src/pages/sources/saml/SAMLSourceForm.ts:104
msgid "Redirect binding"
msgstr "Redirect binding"
@ -2582,22 +2585,22 @@ msgstr "Return to device picker"
msgid "SAML Attribute Name"
msgstr "SAML Attribute Name"
#: src/pages/providers/saml/SAMLProviderForm.ts:218
#: src/pages/providers/saml/SAMLProviderForm.ts:224
#: src/pages/sources/saml/SAMLSourceForm.ts:181
msgid "SHA1"
msgstr "SHA1"
#: src/pages/providers/saml/SAMLProviderForm.ts:221
#: src/pages/providers/saml/SAMLProviderForm.ts:227
#: src/pages/sources/saml/SAMLSourceForm.ts:184
msgid "SHA256"
msgstr "SHA256"
#: src/pages/providers/saml/SAMLProviderForm.ts:224
#: src/pages/providers/saml/SAMLProviderForm.ts:230
#: src/pages/sources/saml/SAMLSourceForm.ts:187
msgid "SHA384"
msgstr "SHA384"
#: src/pages/providers/saml/SAMLProviderForm.ts:227
#: src/pages/providers/saml/SAMLProviderForm.ts:233
#: src/pages/sources/saml/SAMLSourceForm.ts:190
msgid "SHA512"
msgstr "SHA512"
@ -2628,7 +2631,7 @@ msgstr "SMTP Username"
msgid "SSO URL"
msgstr "SSO URL"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:238
msgid "Same identifier is used for all providers"
msgstr "Same identifier is used for all providers"
@ -2642,7 +2645,7 @@ msgstr "Scope which the client can specify to access these properties."
#: src/elements/oauth/UserCodeList.ts:31
#: src/elements/oauth/UserRefreshList.ts:31
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:155
msgid "Scopes"
msgstr "Scopes"
@ -2677,7 +2680,7 @@ msgstr "Select an identification method."
msgid "Select users to add"
msgstr "Select users to add"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:168
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:177
msgid "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
msgstr "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
@ -2738,11 +2741,11 @@ msgstr "Service connection"
msgid "Session duration"
msgstr "Session duration"
#: src/pages/providers/saml/SAMLProviderForm.ts:209
#: src/pages/providers/saml/SAMLProviderForm.ts:215
msgid "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
msgstr "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
#: src/pages/providers/saml/SAMLProviderForm.ts:205
#: src/pages/providers/saml/SAMLProviderForm.ts:211
msgid "Session valid not on or after"
msgstr "Session valid not on or after"
@ -2783,7 +2786,7 @@ msgstr "Shown as the Title in Flow pages."
msgid "Sign up."
msgstr "Sign up."
#: src/pages/providers/saml/SAMLProviderForm.ts:232
#: src/pages/providers/saml/SAMLProviderForm.ts:238
#: src/pages/sources/saml/SAMLSourceForm.ts:195
msgid "Signature algorithm"
msgstr "Signature algorithm"
@ -2938,7 +2941,7 @@ msgstr "Stop impersonation"
msgid "Subject"
msgstr "Subject"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:190
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:199
msgid "Subject mode"
msgstr "Subject mode"
@ -3378,7 +3381,7 @@ msgstr "Token count"
msgid "Token expiry"
msgstr "Token expiry"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:135
msgid "Token validity"
msgstr "Token validity"
@ -3718,6 +3721,10 @@ msgstr "Using flow"
msgid "Using source"
msgstr "Using source"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:123
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
msgstr "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
#: src/pages/providers/proxy/ProxyProviderForm.ts:115
msgid "Validate SSL Certificates of upstream servers."
msgstr "Validate SSL Certificates of upstream servers."

103
web/src/locales/pseudo-LOCALE.po
View File

@ -105,7 +105,7 @@ msgstr ""
msgid "Additional user DN, prepended to the Base DN."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:128
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:131
#: src/pages/providers/proxy/ProxyProviderForm.ts:128
#: src/pages/providers/saml/SAMLProviderForm.ts:117
#: src/pages/sources/saml/SAMLSourceForm.ts:134
@ -125,7 +125,7 @@ msgstr ""
msgid "Alert"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
msgid "Algorithm used to sign the JWT Tokens."
msgstr ""
@ -216,19 +216,19 @@ msgstr ""
msgid "Are you sure you want to update {0} \"{1}\"?"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:202
#: src/pages/providers/saml/SAMLProviderForm.ts:208
msgid "Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:191
#: src/pages/providers/saml/SAMLProviderForm.ts:197
msgid "Assertion valid not before"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:195
#: src/pages/providers/saml/SAMLProviderForm.ts:201
msgid "Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:198
#: src/pages/providers/saml/SAMLProviderForm.ts:204
msgid "Assertion valid not on or after"
msgstr ""
@ -338,19 +338,19 @@ msgstr ""
msgid "Base DN"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:195
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:204
msgid "Based on the Hashed User ID"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:201
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:210
msgid "Based on the User's Email. This is recommended over the UPN method."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:204
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:213
msgid "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:198
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:207
msgid "Based on the username"
msgstr ""
@ -586,11 +586,11 @@ msgstr ""
msgid "Configure WebAuthn"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:187
#: src/pages/providers/saml/SAMLProviderForm.ts:193
msgid "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:233
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:242
msgid "Configure how the issuer field of the ID Token should be filled."
msgstr ""
@ -598,7 +598,7 @@ msgstr ""
msgid "Configure settings relevant to your user profile."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:208
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:217
msgid "Configure what data should be used as unique User Identifier. For most cases, the default should be fine."
msgstr ""
@ -840,7 +840,7 @@ msgstr ""
msgid "Customisation"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:249
#: src/pages/providers/saml/SAMLProviderForm.ts:255
#: src/pages/sources/saml/SAMLSourceForm.ts:212
msgid "DSA-SHA1"
msgstr ""
@ -959,7 +959,7 @@ msgstr ""
msgid "Device name"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:213
#: src/pages/providers/saml/SAMLProviderForm.ts:219
#: src/pages/sources/saml/SAMLSourceForm.ts:176
msgid "Digest algorithm"
msgstr ""
@ -1002,7 +1002,7 @@ msgstr ""
msgid "Dummy stage used for testing. Shows a simple continue button and always passes."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:226
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:235
msgid "Each provider has a different issuer, based on the application slug."
msgstr ""
@ -1443,7 +1443,7 @@ msgstr ""
msgid "Groups"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:146
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:149
msgid "HS256 (Symmetric Encryption)"
msgstr ""
@ -1470,8 +1470,8 @@ msgstr ""
#: src/pages/events/RuleForm.ts:93
#: src/pages/groups/GroupForm.ts:132
#: src/pages/outposts/OutpostForm.ts:98
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:169
#: src/pages/providers/saml/SAMLProviderForm.ts:171
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:178
#: src/pages/providers/saml/SAMLProviderForm.ts:177
#: src/pages/sources/ldap/LDAPSourceForm.ts:167
#: src/pages/sources/ldap/LDAPSourceForm.ts:193
#: src/pages/stages/authenticator_validate/AuthenticatorValidateStageForm.ts:114
@ -1544,11 +1544,11 @@ msgstr ""
msgid "In case you can't access any other method."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:218
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:227
msgid "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint."
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:215
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:224
msgid "Include claims in id_token"
msgstr ""
@ -1592,15 +1592,15 @@ msgstr ""
msgid "Issuer"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:221
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:230
msgid "Issuer mode"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:138
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:141
msgid "JWT Algorithm"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:187
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:196
msgid "Key used to sign the tokens. Only required when JWT Algorithm is set to RS256."
msgstr ""
@ -1698,15 +1698,15 @@ msgstr ""
#: src/pages/policies/event_matcher/EventMatcherPolicyForm.ts:108
#: src/pages/property-mappings/PropertyMappingTestForm.ts:59
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:74
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:166
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:185
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:175
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:194
#: src/pages/providers/proxy/ProxyProviderForm.ts:92
#: src/pages/providers/proxy/ProxyProviderForm.ts:143
#: src/pages/providers/saml/SAMLProviderForm.ts:71
#: src/pages/providers/saml/SAMLProviderForm.ts:133
#: src/pages/providers/saml/SAMLProviderForm.ts:149
#: src/pages/providers/saml/SAMLProviderForm.ts:169
#: src/pages/providers/saml/SAMLProviderForm.ts:185
#: src/pages/providers/saml/SAMLProviderForm.ts:175
#: src/pages/providers/saml/SAMLProviderForm.ts:191
#: src/pages/providers/saml/SAMLProviderImportForm.ts:55
#: src/pages/sources/ldap/LDAPSourceForm.ts:164
#: src/pages/sources/ldap/LDAPSourceForm.ts:190
@ -1916,7 +1916,7 @@ msgstr ""
msgid "NameID Policy"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:174
#: src/pages/providers/saml/SAMLProviderForm.ts:180
msgid "NameID Property Mapping"
msgstr ""
@ -2426,30 +2426,30 @@ msgstr ""
msgid "Publisher"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:143
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:146
msgid "RS256 (Asymmetric Encryption)"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:172
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:181
msgid "RSA Key"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:237
#: src/pages/providers/saml/SAMLProviderForm.ts:243
#: src/pages/sources/saml/SAMLSourceForm.ts:200
msgid "RSA-SHA1"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:240
#: src/pages/providers/saml/SAMLProviderForm.ts:246
#: src/pages/sources/saml/SAMLSourceForm.ts:203
msgid "RSA-SHA256"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:243
#: src/pages/providers/saml/SAMLProviderForm.ts:249
#: src/pages/sources/saml/SAMLSourceForm.ts:206
msgid "RSA-SHA384"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:246
#: src/pages/providers/saml/SAMLProviderForm.ts:252
#: src/pages/sources/saml/SAMLSourceForm.ts:209
msgid "RSA-SHA512"
msgstr ""
@ -2474,11 +2474,14 @@ msgstr ""
msgid "Redirect"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:119
#: src/pages/providers/oauth2/OAuth2ProviderViewPage.ts:107
msgid "Redirect URIs"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:119
msgid "Redirect URIs/Origins"
msgstr ""
#: src/pages/sources/saml/SAMLSourceForm.ts:104
msgid "Redirect binding"
msgstr ""
@ -2574,22 +2577,22 @@ msgstr ""
msgid "SAML Attribute Name"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:218
#: src/pages/providers/saml/SAMLProviderForm.ts:224
#: src/pages/sources/saml/SAMLSourceForm.ts:181
msgid "SHA1"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:221
#: src/pages/providers/saml/SAMLProviderForm.ts:227
#: src/pages/sources/saml/SAMLSourceForm.ts:184
msgid "SHA256"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:224
#: src/pages/providers/saml/SAMLProviderForm.ts:230
#: src/pages/sources/saml/SAMLSourceForm.ts:187
msgid "SHA384"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:227
#: src/pages/providers/saml/SAMLProviderForm.ts:233
#: src/pages/sources/saml/SAMLSourceForm.ts:190
msgid "SHA512"
msgstr ""
@ -2620,7 +2623,7 @@ msgstr ""
msgid "SSO URL"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:229
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:238
msgid "Same identifier is used for all providers"
msgstr ""
@ -2634,7 +2637,7 @@ msgstr ""
#: src/elements/oauth/UserCodeList.ts:31
#: src/elements/oauth/UserRefreshList.ts:31
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:152
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:155
msgid "Scopes"
msgstr ""
@ -2669,7 +2672,7 @@ msgstr ""
msgid "Select users to add"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:168
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:177
msgid "Select which scopes can be used by the client. The client stil has to specify the scope to access the data."
msgstr ""
@ -2730,11 +2733,11 @@ msgstr ""
msgid "Session duration"
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:209
#: src/pages/providers/saml/SAMLProviderForm.ts:215
msgid "Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:205
#: src/pages/providers/saml/SAMLProviderForm.ts:211
msgid "Session valid not on or after"
msgstr ""
@ -2775,7 +2778,7 @@ msgstr ""
msgid "Sign up."
msgstr ""
#: src/pages/providers/saml/SAMLProviderForm.ts:232
#: src/pages/providers/saml/SAMLProviderForm.ts:238
#: src/pages/sources/saml/SAMLSourceForm.ts:195
msgid "Signature algorithm"
msgstr ""
@ -2930,7 +2933,7 @@ msgstr ""
msgid "Subject"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:190
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:199
msgid "Subject mode"
msgstr ""
@ -3368,7 +3371,7 @@ msgstr ""
msgid "Token expiry"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:132
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:135
msgid "Token validity"
msgstr ""
@ -3708,6 +3711,10 @@ msgstr ""
msgid "Using source"
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts:123
msgid "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows."
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts:115
msgid "Validate SSL Certificates of upstream servers."
msgstr ""

5
web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
View File

@ -113,9 +113,12 @@ export class OAuth2ProviderFormPage extends Form<OAuth2Provider> {
<input type="text" value="${first(this.provider?.clientSecret, randomString(128))}" class="pf-c-form-control">
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${t`Redirect URIs`}
label=${t`Redirect URIs/Origins`}
name="redirectUris">
<textarea class="pf-c-form-control">${this.provider?.redirectUris}</textarea>
<p class="pf-c-form__helper-text">
${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for CORS Headers.`}
</p>
</ak-form-element-horizontal>
</div>
</ak-form-group>