providers/oauth2: give keypairs private key preference over certificate in client_credentials jwt flow
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
7a44d5768a
commit
f8f8a9bbb9
|
@ -19,6 +19,7 @@ from authentik.core.models import (
|
|||
TokenIntents,
|
||||
User,
|
||||
)
|
||||
from authentik.crypto.models import CertificateKeyPair
|
||||
from authentik.events.models import Event, EventAction
|
||||
from authentik.lib.utils.time import timedelta_from_string
|
||||
from authentik.policies.engine import PolicyEngine
|
||||
|
@ -261,16 +262,20 @@ class TokenParams:
|
|||
token = None
|
||||
for cert in self.provider.verification_keys.all():
|
||||
LOGGER.debug("verifying jwt with key", key=cert.name)
|
||||
cert: CertificateKeyPair
|
||||
public_key = cert.certificate.public_key()
|
||||
if cert.private_key:
|
||||
public_key = cert.private_key.public_key()
|
||||
try:
|
||||
token = decode(
|
||||
assertion,
|
||||
cert.certificate.public_key(),
|
||||
public_key,
|
||||
algorithms=[JWTAlgorithms.RS256, JWTAlgorithms.EC256],
|
||||
options={
|
||||
"verify_aud": False,
|
||||
},
|
||||
)
|
||||
except (InvalidTokenError, ValueError) as last_exc:
|
||||
except (InvalidTokenError, ValueError, TypeError) as last_exc:
|
||||
LOGGER.warning("failed to validate jwt", last_exc=last_exc)
|
||||
if not token:
|
||||
raise TokenError("invalid_grant")
|
||||
|
|
Reference in a new issue