providers/oauth2: correctly advertise code_challenge_methods_supported (#6007)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-06-19 21:26:33 +02:00 committed by GitHub
parent a5db60129d
commit f6181ceb70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 16 additions and 2 deletions

View File

@ -19,6 +19,11 @@ SCOPE_OPENID = "openid"
SCOPE_OPENID_PROFILE = "profile" SCOPE_OPENID_PROFILE = "profile"
SCOPE_OPENID_EMAIL = "email" SCOPE_OPENID_EMAIL = "email"
# https://www.iana.org/assignments/oauth-parameters/\
# oauth-parameters.xhtml#pkce-code-challenge-method
PKCE_METHOD_PLAIN = "plain"
PKCE_METHOD_S256 = "S256"
TOKEN_TYPE = "Bearer" # nosec TOKEN_TYPE = "Bearer" # nosec
SCOPE_AUTHENTIK_API = "goauthentik.io/api" SCOPE_AUTHENTIK_API = "goauthentik.io/api"

View File

@ -35,6 +35,8 @@ from authentik.lib.views import bad_request_message
from authentik.policies.types import PolicyRequest from authentik.policies.types import PolicyRequest
from authentik.policies.views import PolicyAccessView, RequestValidationError from authentik.policies.views import PolicyAccessView, RequestValidationError
from authentik.providers.oauth2.constants import ( from authentik.providers.oauth2.constants import (
PKCE_METHOD_PLAIN,
PKCE_METHOD_S256,
PROMPT_CONSENT, PROMPT_CONSENT,
PROMPT_LOGIN, PROMPT_LOGIN,
PROMPT_NONE, PROMPT_NONE,
@ -254,7 +256,10 @@ class OAuthAuthorizationParams:
def check_code_challenge(self): def check_code_challenge(self):
"""PKCE validation of the transformation method.""" """PKCE validation of the transformation method."""
if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]: if self.code_challenge and self.code_challenge_method not in [
PKCE_METHOD_PLAIN,
PKCE_METHOD_S256,
]:
raise AuthorizeError( raise AuthorizeError(
self.redirect_uri, self.redirect_uri,
"invalid_request", "invalid_request",

View File

@ -17,6 +17,8 @@ from authentik.providers.oauth2.constants import (
GRANT_TYPE_IMPLICIT, GRANT_TYPE_IMPLICIT,
GRANT_TYPE_PASSWORD, GRANT_TYPE_PASSWORD,
GRANT_TYPE_REFRESH_TOKEN, GRANT_TYPE_REFRESH_TOKEN,
PKCE_METHOD_PLAIN,
PKCE_METHOD_S256,
SCOPE_OPENID, SCOPE_OPENID,
) )
from authentik.providers.oauth2.models import ( from authentik.providers.oauth2.models import (
@ -109,6 +111,7 @@ class ProviderInfoView(View):
"request_parameter_supported": False, "request_parameter_supported": False,
"claims_supported": self.get_claims(provider), "claims_supported": self.get_claims(provider),
"claims_parameter_supported": False, "claims_parameter_supported": False,
"code_challenge_methods_supported": [PKCE_METHOD_PLAIN, PKCE_METHOD_S256],
} }
def get_claims(self, provider: OAuth2Provider) -> list[str]: def get_claims(self, provider: OAuth2Provider) -> list[str]:

View File

@ -39,6 +39,7 @@ from authentik.providers.oauth2.constants import (
GRANT_TYPE_DEVICE_CODE, GRANT_TYPE_DEVICE_CODE,
GRANT_TYPE_PASSWORD, GRANT_TYPE_PASSWORD,
GRANT_TYPE_REFRESH_TOKEN, GRANT_TYPE_REFRESH_TOKEN,
PKCE_METHOD_S256,
TOKEN_TYPE, TOKEN_TYPE,
) )
from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError
@ -221,7 +222,7 @@ class TokenParams:
# Validate PKCE parameters. # Validate PKCE parameters.
if self.code_verifier: if self.code_verifier:
if self.authorization_code.code_challenge_method == "S256": if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
new_code_challenge = ( new_code_challenge = (
urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest()) urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
.decode("utf-8") .decode("utf-8")