Addition of form_post OIDC response mode

[scheibling]

Details

Resolves #2748

Changes

New Features

• Adds support for form_post response mode, required for Azure-compatibility

Breaking Changes

None

Additional Details

[scheibling]

@BeryJu Right, it's working now at least!

I added a separate class for the post response, and I've imported the AutosubmitChallenge and AutoSubmitChallengeResponse classes from providers.saml.views.flows for now, I'm going to do some testing with this setup and see whether I can find any shortcomings.

[BeryJu]

So this extra stage view shouldn't be required, imo it makes more sense to hook in here https://github.com/goauthentik/authentik/blob/master/authentik/providers/oauth2/views/authorize.py#L248, rename redirect to get_response and have it check the parameters to either return an Autosubmit Challenge or a redirect

[scheibling]

Yep, I agree, this was just a way of testing the concept on my part for now. I'll have a look at integrating it a bit better later today.

[scheibling]

Right, had some more free time this afternoon. I've removed the separate class and moved the FORM_POST handling to create_response_uri() and redirect() respectively

I'll have to spend some more time going through a couple of more scenarios where form_post might want a non-implicit response, I've only been testing with an application of ours that has a very specific capability for OIDC (Azure) so far.

https://github.com/scheibling/authentik/blob/b7fd2b38935ed63a2bd1214f6c41d6ac2e6485b9/authentik/providers/oauth2/views/authorize.py#L265-L282

[scheibling]

Looked at it with a little more sleep behind me, I'm going to work on the create_response_uri-part a bit more since the current code doesn't really take any of the response_type parameters into account.

Form_post in particular can be requested with just the code and id_token parts by themselves, I'm gonna read up a bit on that part of the protocol when I get into work tomorrow.

The original version was written as if fragment always just creates an implicit response with just an id_token and query only provides a code, couldn't there be other combinations on those as well?

I'll be back with an update once I'm up to speed with the latest!

[scheibling]

Nope, apparently the code that's already in create_implicit_response works fine for form_post as well!

[codecov]

Codecov Report

Merging #2818 (df2ebed) into master (f00657f) will decrease coverage by 0.02%.
The diff coverage is 60.00%.

@@            Coverage Diff             @@
##           master    #2818      +/-   ##
==========================================
- Coverage   91.73%   91.72%   -0.01%     
==========================================
  Files         455      455              
  Lines       20039    20049      +10     
==========================================
+ Hits        18381    18388       +7     
- Misses       1658     1661       +3     

Impacted Files	Coverage Δ
authentik/providers/oauth2/views/authorize.py	80.90% <57.90%> (-2.04%)	⬇️
authentik/providers/oauth2/models.py	93.73% <100.00%> (+0.03%)	⬆️
authentik/events/models.py	82.45% <0.00%> (-0.38%)	⬇️
authentik/admin/tasks.py	100.00% <0.00%> (+9.10%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f00657f...df2ebed. Read the comment docs.