providers/oauth2: correctly advertise code_challenge_methods_supported (#6007)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
a5db60129d
commit
f6181ceb70
|
@ -19,6 +19,11 @@ SCOPE_OPENID = "openid"
|
|||
SCOPE_OPENID_PROFILE = "profile"
|
||||
SCOPE_OPENID_EMAIL = "email"
|
||||
|
||||
# https://www.iana.org/assignments/oauth-parameters/\
|
||||
# oauth-parameters.xhtml#pkce-code-challenge-method
|
||||
PKCE_METHOD_PLAIN = "plain"
|
||||
PKCE_METHOD_S256 = "S256"
|
||||
|
||||
TOKEN_TYPE = "Bearer" # nosec
|
||||
|
||||
SCOPE_AUTHENTIK_API = "goauthentik.io/api"
|
||||
|
|
|
@ -35,6 +35,8 @@ from authentik.lib.views import bad_request_message
|
|||
from authentik.policies.types import PolicyRequest
|
||||
from authentik.policies.views import PolicyAccessView, RequestValidationError
|
||||
from authentik.providers.oauth2.constants import (
|
||||
PKCE_METHOD_PLAIN,
|
||||
PKCE_METHOD_S256,
|
||||
PROMPT_CONSENT,
|
||||
PROMPT_LOGIN,
|
||||
PROMPT_NONE,
|
||||
|
@ -254,7 +256,10 @@ class OAuthAuthorizationParams:
|
|||
|
||||
def check_code_challenge(self):
|
||||
"""PKCE validation of the transformation method."""
|
||||
if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]:
|
||||
if self.code_challenge and self.code_challenge_method not in [
|
||||
PKCE_METHOD_PLAIN,
|
||||
PKCE_METHOD_S256,
|
||||
]:
|
||||
raise AuthorizeError(
|
||||
self.redirect_uri,
|
||||
"invalid_request",
|
||||
|
|
|
@ -17,6 +17,8 @@ from authentik.providers.oauth2.constants import (
|
|||
GRANT_TYPE_IMPLICIT,
|
||||
GRANT_TYPE_PASSWORD,
|
||||
GRANT_TYPE_REFRESH_TOKEN,
|
||||
PKCE_METHOD_PLAIN,
|
||||
PKCE_METHOD_S256,
|
||||
SCOPE_OPENID,
|
||||
)
|
||||
from authentik.providers.oauth2.models import (
|
||||
|
@ -109,6 +111,7 @@ class ProviderInfoView(View):
|
|||
"request_parameter_supported": False,
|
||||
"claims_supported": self.get_claims(provider),
|
||||
"claims_parameter_supported": False,
|
||||
"code_challenge_methods_supported": [PKCE_METHOD_PLAIN, PKCE_METHOD_S256],
|
||||
}
|
||||
|
||||
def get_claims(self, provider: OAuth2Provider) -> list[str]:
|
||||
|
|
|
@ -39,6 +39,7 @@ from authentik.providers.oauth2.constants import (
|
|||
GRANT_TYPE_DEVICE_CODE,
|
||||
GRANT_TYPE_PASSWORD,
|
||||
GRANT_TYPE_REFRESH_TOKEN,
|
||||
PKCE_METHOD_S256,
|
||||
TOKEN_TYPE,
|
||||
)
|
||||
from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError
|
||||
|
@ -221,7 +222,7 @@ class TokenParams:
|
|||
|
||||
# Validate PKCE parameters.
|
||||
if self.code_verifier:
|
||||
if self.authorization_code.code_challenge_method == "S256":
|
||||
if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
|
||||
new_code_challenge = (
|
||||
urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
|
||||
.decode("utf-8")
|
||||
|
|
Reference in a new issue