providers/oauth2: make iss field configurable
This commit is contained in:
parent
dff5eb69c8
commit
55322995a1
|
@ -27,6 +27,7 @@ class OAuth2ProviderSerializer(ModelSerializer, MetaNameSerializer):
|
|||
"redirect_uris",
|
||||
"sub_mode",
|
||||
"property_mappings",
|
||||
"issuer_mode",
|
||||
"verbose_name",
|
||||
"verbose_name_plural",
|
||||
]
|
||||
|
|
|
@ -53,14 +53,15 @@ class OAuth2ProviderForm(forms.ModelForm):
|
|||
"client_type",
|
||||
"client_id",
|
||||
"client_secret",
|
||||
"response_type",
|
||||
"token_validity",
|
||||
"include_claims_in_id_token",
|
||||
"jwt_alg",
|
||||
"response_type",
|
||||
"property_mappings",
|
||||
"rsa_key",
|
||||
"redirect_uris",
|
||||
"sub_mode",
|
||||
"property_mappings",
|
||||
"include_claims_in_id_token",
|
||||
"issuer_mode",
|
||||
]
|
||||
widgets = {
|
||||
"name": forms.TextInput(),
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# Generated by Django 3.1.4 on 2020-12-27 13:54
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("authentik_providers_oauth2", "0007_auto_20201016_1107"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name="oauth2provider",
|
||||
name="issuer_mode",
|
||||
field=models.TextField(
|
||||
choices=[
|
||||
("global", "Same identifier is used for all providers"),
|
||||
(
|
||||
"per_provider",
|
||||
"Each provider has a different issuer, based on the application slug.",
|
||||
),
|
||||
],
|
||||
default="per_provider",
|
||||
help_text="Configure how the issuer field of the ID Token should be filled.",
|
||||
),
|
||||
),
|
||||
]
|
|
@ -70,6 +70,15 @@ class SubModes(models.TextChoices):
|
|||
)
|
||||
|
||||
|
||||
class IssuerMode(models.TextChoices):
|
||||
"""Configure how the `iss` field is created."""
|
||||
|
||||
GLOBAL = "global", _("Same identifier is used for all providers")
|
||||
PER_PROVIDER = "per_provider", _(
|
||||
"Each provider has a different issuer, based on the application slug."
|
||||
)
|
||||
|
||||
|
||||
class ResponseTypes(models.TextChoices):
|
||||
"""Response Type required by the client."""
|
||||
|
||||
|
@ -193,6 +202,13 @@ class OAuth2Provider(Provider):
|
|||
)
|
||||
),
|
||||
)
|
||||
issuer_mode = models.TextField(
|
||||
choices=IssuerMode.choices,
|
||||
default=IssuerMode.PER_PROVIDER,
|
||||
help_text=_(
|
||||
("Configure how the issuer field of the ID Token should be filled.")
|
||||
),
|
||||
)
|
||||
|
||||
rsa_key = models.ForeignKey(
|
||||
CertificateKeyPair,
|
||||
|
@ -254,6 +270,8 @@ class OAuth2Provider(Provider):
|
|||
|
||||
def get_issuer(self, request: HttpRequest) -> Optional[str]:
|
||||
"""Get issuer, based on request"""
|
||||
if self.issuer_mode == IssuerMode.GLOBAL:
|
||||
return request.build_absolute_uri("/")
|
||||
try:
|
||||
mountpoint = AuthentikProviderOAuth2Config.mountpoints[
|
||||
"authentik.providers.oauth2.urls"
|
||||
|
|
|
@ -7887,6 +7887,13 @@ definitions:
|
|||
type: string
|
||||
format: uuid
|
||||
uniqueItems: true
|
||||
issuer_mode:
|
||||
title: Issuer mode
|
||||
description: Configure how the issuer field of the ID Token should be filled.
|
||||
type: string
|
||||
enum:
|
||||
- global
|
||||
- per_provider
|
||||
verbose_name:
|
||||
title: Verbose name
|
||||
type: string
|
||||
|
|
Reference in New Issue