remove verification_keys

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/oauth2/api/provider.py

@@ -34,7 +34,6 @@ class Meta:
             "sub_mode",
             "property_mappings",
             "issuer_mode",
-            "verification_keys",
             "jwks_sources",
         ]
 

authentik/providers/oauth2/migrations/0012_remove_oauth2provider_verification_keys.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.0.5 on 2022-06-04 21:26
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0011_oauth2provider_jwks_sources_and_more"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="oauth2provider",
+            name="verification_keys",
+        ),
+    ]

authentik/providers/oauth2/models.py

@@ -222,19 +222,6 @@ class OAuth2Provider(Provider):
         ),
     )
 
-    verification_keys = models.ManyToManyField(
-        CertificateKeyPair,
-        verbose_name=_("Allowed certificates for JWT-based client_credentials"),
-        help_text=_(
-            (
-                "DEPRECATED. JWTs created with the configured "
-                "certificates can authenticate with this provider."
-            )
-        ),
-        related_name="oauth2_providers",
-        default=None,
-        blank=True,
-    )
     jwks_sources = models.ManyToManyField(
         OAuthSource,
         verbose_name=_(

authentik/providers/oauth2/views/token.py

@@ -292,26 +292,6 @@ def __post_init_client_credentials_jwt(self, request: HttpRequest):
 
         token = None
 
-        # TODO: Remove in 2022.7, deprecated field `verification_keys``
-        for cert in self.provider.verification_keys.all():
-            LOGGER.debug("verifying jwt with key", key=cert.name)
-            cert: CertificateKeyPair
-            public_key = cert.certificate.public_key()
-            if cert.private_key:
-                public_key = cert.private_key.public_key()
-            try:
-                token = decode(
-                    assertion,
-                    public_key,
-                    algorithms=[JWTAlgorithms.RS256, JWTAlgorithms.ES256],
-                    options={
-                        "verify_aud": False,
-                    },
-                )
-            except (PyJWTError, ValueError, TypeError) as exc:
-                LOGGER.warning("failed to validate jwt", exc=exc)
-        # TODO: End remove block
-
         source: Optional[OAuthSource] = None
         parsed_key: Optional[PyJWK] = None
         for source in self.provider.jwks_sources.all():

schema.yml

@@ -23237,15 +23237,6 @@ components:
           allOf:
           - $ref: '#/components/schemas/IssuerModeEnum'
           description: Configure how the issuer field of the ID Token should be filled.
-        verification_keys:
-          type: array
-          items:
-            type: string
-            format: uuid
-            title: Allowed certificates for JWT-based client_credentials
-          title: Allowed certificates for JWT-based client_credentials
-          description: DEPRECATED. JWTs created with the configured certificates can
-            authenticate with this provider.
         jwks_sources:
           type: array
           items:
@@ -23325,15 +23316,6 @@ components:
           allOf:
           - $ref: '#/components/schemas/IssuerModeEnum'
           description: Configure how the issuer field of the ID Token should be filled.
-        verification_keys:
-          type: array
-          items:
-            type: string
-            format: uuid
-            title: Allowed certificates for JWT-based client_credentials
-          title: Allowed certificates for JWT-based client_credentials
-          description: DEPRECATED. JWTs created with the configured certificates can
-            authenticate with this provider.
         jwks_sources:
           type: array
           items:
@@ -27711,15 +27693,6 @@ components:
           allOf:
           - $ref: '#/components/schemas/IssuerModeEnum'
           description: Configure how the issuer field of the ID Token should be filled.
-        verification_keys:
-          type: array
-          items:
-            type: string
-            format: uuid
-            title: Allowed certificates for JWT-based client_credentials
-          title: Allowed certificates for JWT-based client_credentials
-          description: DEPRECATED. JWTs created with the configured certificates can
-            authenticate with this provider.
         jwks_sources:
           type: array
           items:

web/src/locales/de.po

@@ -1552,7 +1552,6 @@ msgstr "{0} löschen"
 msgid "Deny the user access"
 msgstr "Dem Benutzer den Zugang verweigern"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "Deprecated. Instead of using this field, configure the JWKS data/URL in Sources."
 msgstr ""
@@ -2471,7 +2470,6 @@ msgstr "Interne Konten ausblenden"
 #: src/pages/outposts/OutpostForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/saml/SAMLProviderForm.ts
 #: src/pages/sources/ldap/LDAPSourceForm.ts
@@ -2753,7 +2751,6 @@ msgstr ""
 #~ msgid "JWT Algorithm"
 #~ msgstr "JWT Algorithmus"
 
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 msgid "JWTs signed by certificates configured here can be used to authenticate to the provider."
 msgstr ""
@@ -2937,7 +2934,6 @@ msgstr "Wird geladen"
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
@@ -6308,8 +6304,8 @@ msgid "Verification Certificate"
 msgstr "Zertifikat zur Überprüfung"
 
 #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "Verification certificates"
-msgstr ""
+#~ msgid "Verification certificates"
+#~ msgstr ""
 
 #: src/pages/stages/authenticator_sms/AuthenticatorSMSStageForm.ts
 #~ msgid "Verify only"