Compare commits

..

4 Commits

Author SHA1 Message Date
gcp-cherry-pick-bot[bot] bb9a524b53
sources/oauth: fix URLs being overwritten by OIDC urls (cherry-pick #8147) (#8156)
sources/oauth: fix URLs being overwritten by OIDC urls (#8147)

* sources/oauth: fix URLs being overwritten by OIDC urls



* fix tests



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>
2024-01-13 16:37:47 +01:00
gcp-cherry-pick-bot[bot] d31c05625b
sources/oauth: fix azure_ad user_id and add test and fallback (cherry-pick #8146) (#8152) 2024-01-12 21:01:24 +01:00
gcp-cherry-pick-bot[bot] 399223b770
web/flows: fix icon for generic oauth source with dark theme (cherry-pick #8148) (#8151) 2024-01-12 21:01:11 +01:00
gcp-cherry-pick-bot[bot] 19197d3f9b
sources/oauth: revert azure_ad profile URL change (cherry-pick #8139) (#8141)
sources/oauth: revert azure_ad profile URL change (#8139)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>
2024-01-12 16:21:59 +01:00
5 changed files with 24 additions and 8 deletions

View File

@ -56,6 +56,7 @@ class OAuthSourceSerializer(SourceSerializer):
"""Get source's type configuration""" """Get source's type configuration"""
return SourceTypeSerializer(instance.source_type).data return SourceTypeSerializer(instance.source_type).data
# pylint: disable=too-many-locals
def validate(self, attrs: dict) -> dict: def validate(self, attrs: dict) -> dict:
session = get_http_session() session = get_http_session()
source_type = registry.find_type(attrs["provider_type"]) source_type = registry.find_type(attrs["provider_type"])
@ -73,9 +74,17 @@ class OAuthSourceSerializer(SourceSerializer):
config = well_known_config.json() config = well_known_config.json()
if "issuer" not in config: if "issuer" not in config:
raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"}) raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
attrs["authorization_url"] = config.get("authorization_endpoint", "") field_map = {
attrs["access_token_url"] = config.get("token_endpoint", "") # authentik field to oidc field
attrs["profile_url"] = config.get("userinfo_endpoint", "") "authorization_url": "authorization_endpoint",
"access_token_url": "token_endpoint",
"profile_url": "userinfo_endpoint",
}
for ak_key, oidc_key in field_map.items():
# Don't overwrite user-set values
if ak_key in attrs and attrs[ak_key]:
continue
attrs[ak_key] = config.get(oidc_key, "")
inferred_oidc_jwks_url = config.get("jwks_uri", "") inferred_oidc_jwks_url = config.get("jwks_uri", "")
# Prefer user-entered URL to inferred URL to default URL # Prefer user-entered URL to inferred URL to default URL

View File

@ -44,3 +44,7 @@ class TestTypeAzureAD(TestCase):
self.assertEqual(ak_context["username"], AAD_USER["userPrincipalName"]) self.assertEqual(ak_context["username"], AAD_USER["userPrincipalName"])
self.assertEqual(ak_context["email"], AAD_USER["mail"]) self.assertEqual(ak_context["email"], AAD_USER["mail"])
self.assertEqual(ak_context["name"], AAD_USER["displayName"]) self.assertEqual(ak_context["name"], AAD_USER["displayName"])
def test_user_id(self):
"""Test azure AD user ID"""
self.assertEqual(AzureADOAuthCallback().get_user_id(AAD_USER), AAD_USER["id"])

View File

@ -69,9 +69,6 @@ class TestOAuthSource(TestCase):
"provider_type": "openidconnect", "provider_type": "openidconnect",
"consumer_key": "foo", "consumer_key": "foo",
"consumer_secret": "foo", "consumer_secret": "foo",
"authorization_url": "http://foo",
"access_token_url": "http://foo",
"profile_url": "http://foo",
"oidc_well_known_url": url, "oidc_well_known_url": url,
"oidc_jwks_url": "", "oidc_jwks_url": "",
}, },

View File

@ -25,6 +25,11 @@ class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
client_class = UserprofileHeaderAuthClient client_class = UserprofileHeaderAuthClient
def get_user_id(self, info: dict[str, str]) -> str:
# Default try to get `id` for the Graph API endpoint
# fallback to OpenID logic in case the profile URL was changed
return info.get("id", super().get_user_id(info))
def get_user_enroll_context( def get_user_enroll_context(
self, self,
info: dict[str, Any], info: dict[str, Any],
@ -50,7 +55,7 @@ class AzureADType(SourceType):
authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token" # nosec access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token" # nosec
profile_url = "https://login.microsoftonline.com/common/openid/userinfo" profile_url = "https://graph.microsoft.com/v1.0/me"
oidc_well_known_url = ( oidc_well_known_url = (
"https://login.microsoftonline.com/common/.well-known/openid-configuration" "https://login.microsoftonline.com/common/.well-known/openid-configuration"
) )

View File

@ -257,7 +257,8 @@ select[multiple] option:checked {
.pf-c-login__main-header-desc { .pf-c-login__main-header-desc {
color: var(--ak-dark-foreground); color: var(--ak-dark-foreground);
} }
.pf-c-login__main-footer-links-item img { .pf-c-login__main-footer-links-item img,
.pf-c-login__main-footer-links-item .fas {
filter: invert(1); filter: invert(1);
} }
.pf-c-login__main-footer-band { .pf-c-login__main-footer-band {