trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/oauth2: add configuration error event when wrong redirect uri is used in token request 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-05-28 21:15:58 +02:00
parent 098b0aef6e
commit 18b48684eb
2 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
authentik/providers/oauth2/views/authorize.py
View File

@ -196,7 +196,7 @@ class OAuthAuthorizationParams:
LOGGER.warning( LOGGER.warning(
"Invalid redirect uri", "Invalid redirect uri",
redirect_uri=self.redirect_uri, redirect_uri=self.redirect_uri,
excepted=allowed_redirect_urls, expected=allowed_redirect_urls,
) )
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
except RegexError as exc: except RegexError as exc:

18
authentik/providers/oauth2/views/token.py
View File

@ -128,7 +128,7 @@ class TokenParams:
with Hub.current.start_span( with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.code", op="authentik.providers.oauth2.post.parse.code",
): ):
self.__post_init_code(raw_code) self.__post_init_code(raw_code, request)
elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN: elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
with Hub.current.start_span( with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.refresh", op="authentik.providers.oauth2.post.parse.refresh",
@ -143,7 +143,7 @@ class TokenParams:
LOGGER.warning("Invalid grant type", grant_type=self.grant_type) LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
raise TokenError("unsupported_grant_type") raise TokenError("unsupported_grant_type")
def __post_init_code(self, raw_code: str): def __post_init_code(self, raw_code: str, request: HttpRequest):
if not raw_code: if not raw_code:
LOGGER.warning("Missing authorization code") LOGGER.warning("Missing authorization code")
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
@ -156,11 +156,23 @@ class TokenParams:
LOGGER.warning( LOGGER.warning(
"Invalid redirect uri", "Invalid redirect uri",
redirect_uri=self.redirect_uri, redirect_uri=self.redirect_uri,
excepted=allowed_redirect_urls, expected=allowed_redirect_urls,
) )
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect URI used by provider",
provider=self.provider,
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
).from_http(request)
raise TokenError("invalid_client") raise TokenError("invalid_client")
except RegexError as exc: except RegexError as exc:
LOGGER.warning("Invalid regular expression configured", exc=exc) LOGGER.warning("Invalid regular expression configured", exc=exc)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect_uri RegEx configured",
provider=self.provider,
).from_http(request)
raise TokenError("invalid_client") raise TokenError("invalid_client")
try: try: