sources/oauth: fix URLs being overwritten by OIDC urls (cherry-pick #8147 ) (#8156 )

sources/oauth: fix URLs being overwritten by OIDC urls (#8147) * sources/oauth: fix URLs being overwritten by OIDC urls * fix tests --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>
sources/oauth: fix azure_ad user_id and add test and fallback (cherry-pick #8146 ) (#8152 )
2024-01-13 16:37:47 +01:00 · 2024-01-12 21:01:24 +01:00 · 2024-01-12 21:01:11 +01:00 · 2024-01-12 16:21:59 +01:00
5 changed files with 24 additions and 8 deletions
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -56,6 +56,7 @@ class OAuthSourceSerializer(SourceSerializer):
        """Get source's type configuration"""
        return SourceTypeSerializer(instance.source_type).data

+    # pylint: disable=too-many-locals
    def validate(self, attrs: dict) -> dict:
        session = get_http_session()
        source_type = registry.find_type(attrs["provider_type"])
@ -73,9 +74,17 @@ class OAuthSourceSerializer(SourceSerializer):
            config = well_known_config.json()
            if "issuer" not in config:
                raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
-            attrs["authorization_url"] = config.get("authorization_endpoint", "")
-            attrs["access_token_url"] = config.get("token_endpoint", "")
-            attrs["profile_url"] = config.get("userinfo_endpoint", "")
+            field_map = {
+                # authentik field to oidc field
+                "authorization_url": "authorization_endpoint",
+                "access_token_url": "token_endpoint",
+                "profile_url": "userinfo_endpoint",
+            }
+            for ak_key, oidc_key in field_map.items():
+                # Don't overwrite user-set values
+                if ak_key in attrs and attrs[ak_key]:
+                    continue
+                attrs[ak_key] = config.get(oidc_key, "")
            inferred_oidc_jwks_url = config.get("jwks_uri", "")

        # Prefer user-entered URL to inferred URL to default URL
--- a/authentik/sources/oauth/tests/test_type_azure_ad.py
+++ b/authentik/sources/oauth/tests/test_type_azure_ad.py
@ -44,3 +44,7 @@ class TestTypeAzureAD(TestCase):
        self.assertEqual(ak_context["username"], AAD_USER["userPrincipalName"])
        self.assertEqual(ak_context["email"], AAD_USER["mail"])
        self.assertEqual(ak_context["name"], AAD_USER["displayName"])
+
+    def test_user_id(self):
+        """Test azure AD user ID"""
+        self.assertEqual(AzureADOAuthCallback().get_user_id(AAD_USER), AAD_USER["id"])
--- a/authentik/sources/oauth/tests/test_views.py
+++ b/authentik/sources/oauth/tests/test_views.py
@ -69,9 +69,6 @@ class TestOAuthSource(TestCase):
                    "provider_type": "openidconnect",
                    "consumer_key": "foo",
                    "consumer_secret": "foo",
-                    "authorization_url": "http://foo",
-                    "access_token_url": "http://foo",
-                    "profile_url": "http://foo",
                    "oidc_well_known_url": url,
                    "oidc_jwks_url": "",
                },
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@ -25,6 +25,11 @@ class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):

    client_class = UserprofileHeaderAuthClient

+    def get_user_id(self, info: dict[str, str]) -> str:
+        # Default try to get `id` for the Graph API endpoint
+        # fallback to OpenID logic in case the profile URL was changed
+        return info.get("id", super().get_user_id(info))
+
    def get_user_enroll_context(
        self,
        info: dict[str, Any],
@ -50,7 +55,7 @@ class AzureADType(SourceType):

    authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
    access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
+    profile_url = "https://graph.microsoft.com/v1.0/me"
    oidc_well_known_url = (
        "https://login.microsoftonline.com/common/.well-known/openid-configuration"
    )
--- a/web/src/common/styles/theme-dark.css
+++ b/web/src/common/styles/theme-dark.css
@ -257,7 +257,8 @@ select[multiple] option:checked {
 .pf-c-login__main-header-desc {
    color: var(--ak-dark-foreground);
 }
-.pf-c-login__main-footer-links-item img {
+.pf-c-login__main-footer-links-item img,
+.pf-c-login__main-footer-links-item .fas {
    filter: invert(1);
 }
 .pf-c-login__main-footer-band {
Author	SHA1	Message	Date
gcp-cherry-pick-bot[bot]	bb9a524b53	sources/oauth: fix URLs being overwritten by OIDC urls (cherry-pick #8147 ) (#8156 ) sources/oauth: fix URLs being overwritten by OIDC urls (#8147) * sources/oauth: fix URLs being overwritten by OIDC urls * fix tests --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-01-13 16:37:47 +01:00
gcp-cherry-pick-bot[bot]	d31c05625b	sources/oauth: fix azure_ad user_id and add test and fallback (cherry-pick #8146 ) (#8152 )	2024-01-12 21:01:24 +01:00
gcp-cherry-pick-bot[bot]	399223b770	web/flows: fix icon for generic oauth source with dark theme (cherry-pick #8148 ) (#8151 )	2024-01-12 21:01:11 +01:00
gcp-cherry-pick-bot[bot]	19197d3f9b	sources/oauth: revert azure_ad profile URL change (cherry-pick #8139 ) (#8141 ) sources/oauth: revert azure_ad profile URL change (#8139) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>	2024-01-12 16:21:59 +01:00