providers/oauth2: add configuration error event when wrong redirect uri is used in token request

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-28 21:15:58 +02:00 · 2022-05-28 21:15:58 +02:00 · 18b48684eb
parent 098b0aef6e
commit 18b48684eb
2 changed files with 16 additions and 4 deletions
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -196,7 +196,7 @@ class OAuthAuthorizationParams:
                LOGGER.warning(
                    "Invalid redirect uri",
                    redirect_uri=self.redirect_uri,
-                    excepted=allowed_redirect_urls,
+                    expected=allowed_redirect_urls,
                )
                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
        except RegexError as exc:
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -128,7 +128,7 @@ class TokenParams:
            with Hub.current.start_span(
                op="authentik.providers.oauth2.post.parse.code",
            ):
-                self.__post_init_code(raw_code)
+                self.__post_init_code(raw_code, request)
        elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
            with Hub.current.start_span(
                op="authentik.providers.oauth2.post.parse.refresh",
@ -143,7 +143,7 @@ class TokenParams:
            LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
            raise TokenError("unsupported_grant_type")

-    def __post_init_code(self, raw_code: str):
+    def __post_init_code(self, raw_code: str, request: HttpRequest):
        if not raw_code:
            LOGGER.warning("Missing authorization code")
            raise TokenError("invalid_grant")
@ -156,11 +156,23 @@ class TokenParams:
                LOGGER.warning(
                    "Invalid redirect uri",
                    redirect_uri=self.redirect_uri,
-                    excepted=allowed_redirect_urls,
+                    expected=allowed_redirect_urls,
                )
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message="Invalid redirect URI used by provider",
+                    provider=self.provider,
+                    redirect_uri=self.redirect_uri,
+                    expected=allowed_redirect_urls,
+                ).from_http(request)
                raise TokenError("invalid_client")
        except RegexError as exc:
            LOGGER.warning("Invalid regular expression configured", exc=exc)
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message="Invalid redirect_uri RegEx configured",
+                provider=self.provider,
+            ).from_http(request)
            raise TokenError("invalid_client")

        try: