From 8689444954781d72716b62c5414918fa1838e2b0 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 31 Mar 2022 18:02:17 +0200 Subject: [PATCH 1/4] providers/oauth2: add password grant support (treated as client_credentials) Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/constants.py | 2 ++ authentik/providers/oauth2/views/provider.py | 12 +++++------- authentik/providers/oauth2/views/token.py | 3 ++- website/docs/providers/oauth2/client_credentials.md | 2 ++ 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/authentik/providers/oauth2/constants.py b/authentik/providers/oauth2/constants.py index e8beade8502..6c15baa5e89 100644 --- a/authentik/providers/oauth2/constants.py +++ b/authentik/providers/oauth2/constants.py @@ -1,8 +1,10 @@ """OAuth/OpenID Constants""" GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code" +GRANT_TYPE_IMPLICIT = "implicit" GRANT_TYPE_REFRESH_TOKEN = "refresh_token" # nosec GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials" +GRANT_TYPE_PASSWORD = "password" # nosec CLIENT_ASSERTION_TYPE = "client_assertion_type" CLIENT_ASSERTION = "client_assertion" diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index 6bb4ee20b2b..49129d182df 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -11,15 +11,12 @@ ACR_AUTHENTIK_DEFAULT, GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_IMPLICIT, + GRANT_TYPE_PASSWORD, GRANT_TYPE_REFRESH_TOKEN, SCOPE_OPENID, ) -from authentik.providers.oauth2.models import ( - GrantTypes, - OAuth2Provider, - ResponseTypes, - ScopeMapping, -) +from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping from authentik.providers.oauth2.utils import cors_allow LOGGER = get_logger() @@ -78,8 +75,9 @@ def get_info(self, provider: OAuth2Provider) -> dict[str, Any]: "grant_types_supported": [ GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN, - GrantTypes.IMPLICIT, + GRANT_TYPE_IMPLICIT, GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_PASSWORD, ], "id_token_signing_alg_values_supported": [supported_alg], # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 9e1ca0c819b..a1d37779a2a 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -28,6 +28,7 @@ CLIENT_ASSERTION_TYPE_JWT, GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_PASSWORD, GRANT_TYPE_REFRESH_TOKEN, ) from authentik.providers.oauth2.errors import TokenError, UserAuthError @@ -108,7 +109,7 @@ def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest): self.__post_init_code(raw_code) elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN: self.__post_init_refresh(raw_token, request) - elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS: + elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]: self.__post_init_client_credentials(request) else: LOGGER.warning("Invalid grant type", grant_type=self.grant_type) diff --git a/website/docs/providers/oauth2/client_credentials.md b/website/docs/providers/oauth2/client_credentials.md index 0a30c298b8d..f5ee676e278 100644 --- a/website/docs/providers/oauth2/client_credentials.md +++ b/website/docs/providers/oauth2/client_credentials.md @@ -2,6 +2,8 @@ Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time. +Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant. + ### Static authentication Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function. From 4cf00ed5cfdd99dad94b4c86c5073aa4ad89e36f Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 31 Mar 2022 16:37:54 +0000 Subject: [PATCH 2/4] lifecycle: fix password and hostname not properly quoted #2623 --- lifecycle/wait_for_db.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lifecycle/wait_for_db.py b/lifecycle/wait_for_db.py index 7088f070f0c..bc880c3dbb0 100755 --- a/lifecycle/wait_for_db.py +++ b/lifecycle/wait_for_db.py @@ -5,6 +5,7 @@ from sys import exit as sysexit from sys import stderr from time import sleep, time +from urllib.parse import quote_plus from psycopg2 import OperationalError, connect from redis import Redis @@ -58,7 +59,7 @@ def j_print(event: str, log_level: str = "info", **kwargs): REDIS_PROTOCOL_PREFIX = "rediss://" REDIS_URL = ( f"{REDIS_PROTOCOL_PREFIX}:" - f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" + f"{quote_plus(CONFIG.y('redis.password'))}@{quote_plus(CONFIG.y('redis.host'))}:" f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}" ) while True: From 99008252f88db5d91dd3e7b004bab7ae5cb5561b Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 31 Mar 2022 20:19:13 +0200 Subject: [PATCH 3/4] providers/oauth2: fix verification_keys being required Signed-off-by: Jens Langhammer --- ..._alter_oauth2provider_verification_keys.py | 26 +++++++++++++++++++ authentik/providers/oauth2/models.py | 2 ++ schema.yml | 2 -- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 authentik/providers/oauth2/migrations/0010_alter_oauth2provider_verification_keys.py diff --git a/authentik/providers/oauth2/migrations/0010_alter_oauth2provider_verification_keys.py b/authentik/providers/oauth2/migrations/0010_alter_oauth2provider_verification_keys.py new file mode 100644 index 00000000000..11718cb3878 --- /dev/null +++ b/authentik/providers/oauth2/migrations/0010_alter_oauth2provider_verification_keys.py @@ -0,0 +1,26 @@ +# Generated by Django 4.0.3 on 2022-03-31 18:17 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_crypto", "0003_certificatekeypair_managed"), + ("authentik_providers_oauth2", "0009_oauth2provider_verification_keys_and_more"), + ] + + operations = [ + migrations.AlterField( + model_name="oauth2provider", + name="verification_keys", + field=models.ManyToManyField( + blank=True, + default=None, + help_text="JWTs created with the configured certificates can authenticate with this provider.", + related_name="+", + to="authentik_crypto.certificatekeypair", + verbose_name="Allowed certificates for JWT-based client_credentials", + ), + ), + ] diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py index b70f669dc53..7a93b1cbe43 100644 --- a/authentik/providers/oauth2/models.py +++ b/authentik/providers/oauth2/models.py @@ -227,6 +227,8 @@ class OAuth2Provider(Provider): "JWTs created with the configured certificates can authenticate with this provider." ), related_name="+", + default=None, + blank=True, ) def create_refresh_token( diff --git a/schema.yml b/schema.yml index 31df40770e9..fb7153eaf93 100644 --- a/schema.yml +++ b/schema.yml @@ -23124,7 +23124,6 @@ components: - pk - verbose_name - verbose_name_plural - - verification_keys OAuth2ProviderRequest: type: object description: OAuth2Provider Serializer @@ -23198,7 +23197,6 @@ components: required: - authorization_flow - name - - verification_keys OAuth2ProviderSetupURLs: type: object description: OAuth2 Provider Metadata serializer From 83c4d5393cb9b6ff156ca37e654c5bbfaa66ea3f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 31 Mar 2022 20:24:11 +0200 Subject: [PATCH 4/4] web: Update Web API Client version (#2632) Signed-off-by: GitHub Co-authored-by: BeryJu --- web/package-lock.json | 14 +++++++------- web/package.json | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/web/package-lock.json b/web/package-lock.json index 8356423e614..1fc187b1937 100644 --- a/web/package-lock.json +++ b/web/package-lock.json @@ -16,7 +16,7 @@ "@babel/preset-typescript": "^7.16.7", "@formatjs/intl-listformat": "^6.5.3", "@fortawesome/fontawesome-free": "^6.1.1", - "@goauthentik/api": "^2022.3.3-1648679473", + "@goauthentik/api": "^2022.3.3-1648750781", "@jackfranklin/rollup-plugin-markdown": "^0.3.0", "@lingui/cli": "^3.13.2", "@lingui/core": "^3.13.2", @@ -1766,9 +1766,9 @@ } }, "node_modules/@goauthentik/api": { - "version": "2022.3.3-1648679473", - "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.3.3-1648679473.tgz", - "integrity": "sha512-yDOOl6Pg4GniA20t8P146Mb8UDeToBKNxJ0XHbWe7GCVCSRB/5POhBo5xAdZ7GqOaEpTUijGuP2gJE8lfbcPEQ==" + "version": "2022.3.3-1648750781", + "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.3.3-1648750781.tgz", + "integrity": "sha512-jMhVsWu/QgAx3lTfSZu+8WgW15fEpSqlpnDUD1KOHEI2IPCSSlUvGV4sbXCornrPyr6KAT37hkSJZEyPvxxtfQ==" }, "node_modules/@humanwhocodes/config-array": { "version": "0.9.2", @@ -10065,9 +10065,9 @@ "integrity": "sha512-J/3yg2AIXc9wznaVqpHVX3Wa5jwKovVF0AMYSnbmcXTiL3PpRPfF58pzWucCwEiCJBp+hCNRLWClTomD8SseKg==" }, "@goauthentik/api": { - "version": "2022.3.3-1648679473", - "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.3.3-1648679473.tgz", - "integrity": "sha512-yDOOl6Pg4GniA20t8P146Mb8UDeToBKNxJ0XHbWe7GCVCSRB/5POhBo5xAdZ7GqOaEpTUijGuP2gJE8lfbcPEQ==" + "version": "2022.3.3-1648750781", + "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.3.3-1648750781.tgz", + "integrity": "sha512-jMhVsWu/QgAx3lTfSZu+8WgW15fEpSqlpnDUD1KOHEI2IPCSSlUvGV4sbXCornrPyr6KAT37hkSJZEyPvxxtfQ==" }, "@humanwhocodes/config-array": { "version": "0.9.2", diff --git a/web/package.json b/web/package.json index aaa11c1ef23..8e6f1750320 100644 --- a/web/package.json +++ b/web/package.json @@ -59,7 +59,7 @@ "@babel/preset-typescript": "^7.16.7", "@formatjs/intl-listformat": "^6.5.3", "@fortawesome/fontawesome-free": "^6.1.1", - "@goauthentik/api": "^2022.3.3-1648679473", + "@goauthentik/api": "^2022.3.3-1648750781", "@jackfranklin/rollup-plugin-markdown": "^0.3.0", "@lingui/cli": "^3.13.2", "@lingui/core": "^3.13.2",