diff --git a/Makefile b/Makefile index f768289ae..1afa0d2b8 100644 --- a/Makefile +++ b/Makefile @@ -63,7 +63,7 @@ gen-web: --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=@goauthentik/api,npmVersion=${NPM_VERSION} mkdir -p web/node_modules/@goauthentik/api \cp -fv scripts/web_api_readme.md web-api/README.md - cd web-api && npm ci + cd web-api && npm i \cp -rfv web-api/* web/node_modules/@goauthentik/api gen-outpost: diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 58995b1d7..6b8e3b7b4 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -241,6 +241,11 @@ class TokenParams: if not token or token.user.uid != user.uid: raise TokenError("invalid_grant") self.user = user + # Authorize user access + app = Application.objects.filter(provider=self.provider).first() + if not app or not app.provider: + raise TokenError("invalid_grant") + self.__check_policy_access(app, request) Event.new( action=EventAction.LOGIN, @@ -248,13 +253,8 @@ class TokenParams: PLAN_CONTEXT_METHOD_ARGS={ "identifier": token.identifier, }, + PLAN_CONTEXT_APPLICATION=app, ).from_http(request, user=user) - - # Authorize user access - app = Application.objects.filter(provider=self.provider).first() - if not app or not app.provider: - raise TokenError("invalid_grant") - self.__check_policy_access(app, request) return None def __post_init_client_credentials_jwt(self, request: HttpRequest): @@ -320,6 +320,7 @@ class TokenParams: PLAN_CONTEXT_METHOD_ARGS={ "jwt": token, }, + PLAN_CONTEXT_APPLICATION=app, ).from_http(request, user=self.user)