Merge branch 'master' into api/jwt-auth

authentik/providers/oauth2/constants.py

@@ -1,8 +1,10 @@
 """OAuth/OpenID Constants"""
 
 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
+GRANT_TYPE_IMPLICIT = "implicit"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
+GRANT_TYPE_PASSWORD = "password"  # nosec
 
 CLIENT_ASSERTION_TYPE = "client_assertion_type"
 CLIENT_ASSERTION = "client_assertion"

authentik/providers/oauth2/migrations/0010_alter_oauth2provider_verification_keys.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.0.3 on 2022-03-31 18:17
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_crypto", "0003_certificatekeypair_managed"),
+        ("authentik_providers_oauth2", "0009_oauth2provider_verification_keys_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="oauth2provider",
+            name="verification_keys",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                help_text="JWTs created with the configured certificates can authenticate with this provider.",
+                related_name="+",
+                to="authentik_crypto.certificatekeypair",
+                verbose_name="Allowed certificates for JWT-based client_credentials",
+            ),
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -227,6 +227,8 @@ class OAuth2Provider(Provider):
             "JWTs created with the configured certificates can authenticate with this provider."
         ),
         related_name="+",
+        default=None,
+        blank=True,
     )
 
     def create_refresh_token(

authentik/providers/oauth2/views/provider.py

@@ -11,15 +11,12 @@
     ACR_AUTHENTIK_DEFAULT,
     GRANT_TYPE_AUTHORIZATION_CODE,
     GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_IMPLICIT,
+    GRANT_TYPE_PASSWORD,
     GRANT_TYPE_REFRESH_TOKEN,
     SCOPE_OPENID,
 )
-from authentik.providers.oauth2.models import (
-    GrantTypes,
-    OAuth2Provider,
-    ResponseTypes,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping
 from authentik.providers.oauth2.utils import cors_allow
 
 LOGGER = get_logger()
@@ -78,8 +75,9 @@ def get_info(self, provider: OAuth2Provider) -> dict[str, Any]:
             "grant_types_supported": [
                 GRANT_TYPE_AUTHORIZATION_CODE,
                 GRANT_TYPE_REFRESH_TOKEN,
-                GrantTypes.IMPLICIT,
+                GRANT_TYPE_IMPLICIT,
                 GRANT_TYPE_CLIENT_CREDENTIALS,
+                GRANT_TYPE_PASSWORD,
             ],
             "id_token_signing_alg_values_supported": [supported_alg],
             # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

authentik/providers/oauth2/views/token.py

@@ -28,6 +28,7 @@
     CLIENT_ASSERTION_TYPE_JWT,
     GRANT_TYPE_AUTHORIZATION_CODE,
     GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_PASSWORD,
     GRANT_TYPE_REFRESH_TOKEN,
 )
 from authentik.providers.oauth2.errors import TokenError, UserAuthError
@@ -108,7 +109,7 @@ def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
             self.__post_init_code(raw_code)
         elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
             self.__post_init_refresh(raw_token, request)
-        elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
+        elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
             self.__post_init_client_credentials(request)
         else:
             LOGGER.warning("Invalid grant type", grant_type=self.grant_type)

lifecycle/wait_for_db.py

@@ -5,6 +5,7 @@
 from sys import exit as sysexit
 from sys import stderr
 from time import sleep, time
+from urllib.parse import quote_plus
 
 from psycopg2 import OperationalError, connect
 from redis import Redis
@@ -58,7 +59,7 @@ def j_print(event: str, log_level: str = "info", **kwargs):
     REDIS_PROTOCOL_PREFIX = "rediss://"
 REDIS_URL = (
     f"{REDIS_PROTOCOL_PREFIX}:"
-    f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
+    f"{quote_plus(CONFIG.y('redis.password'))}@{quote_plus(CONFIG.y('redis.host'))}:"
     f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}"
 )
 while True:

schema.yml

@@ -23124,7 +23124,6 @@ components:
       - pk
       - verbose_name
       - verbose_name_plural
-      - verification_keys
     OAuth2ProviderRequest:
       type: object
       description: OAuth2Provider Serializer
@@ -23198,7 +23197,6 @@ components:
       required:
       - authorization_flow
       - name
-      - verification_keys
     OAuth2ProviderSetupURLs:
       type: object
       description: OAuth2 Provider Metadata serializer

web/package.json

@@ -59,7 +59,7 @@
         "@babel/preset-typescript": "^7.16.7",
         "@formatjs/intl-listformat": "^6.5.3",
         "@fortawesome/fontawesome-free": "^6.1.1",
-        "@goauthentik/api": "^2022.3.3-1648679473",
+        "@goauthentik/api": "^2022.3.3-1648750781",
         "@jackfranklin/rollup-plugin-markdown": "^0.3.0",
         "@lingui/cli": "^3.13.2",
         "@lingui/core": "^3.13.2",

website/docs/providers/oauth2/client_credentials.md

@@ -2,6 +2,8 @@
 
 Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
 
+Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant.
+
 ### Static authentication
 
 Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.