providers/oauth2: make iss field configurable

2020-12-27 14:54:27 +01:00 · 2020-12-27 14:54:27 +01:00 · 55322995a1
parent dff5eb69c8
commit 55322995a1
5 changed files with 58 additions and 3 deletions
--- a/authentik/providers/oauth2/api.py
+++ b/authentik/providers/oauth2/api.py
@ -27,6 +27,7 @@ class OAuth2ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "redirect_uris",
            "sub_mode",
            "property_mappings",
+            "issuer_mode",
            "verbose_name",
            "verbose_name_plural",
        ]
--- a/authentik/providers/oauth2/forms.py
+++ b/authentik/providers/oauth2/forms.py
@ -53,14 +53,15 @@ class OAuth2ProviderForm(forms.ModelForm):
            "client_type",
            "client_id",
            "client_secret",
-            "response_type",
            "token_validity",
-            "include_claims_in_id_token",
            "jwt_alg",
+            "response_type",
+            "property_mappings",
            "rsa_key",
            "redirect_uris",
            "sub_mode",
-            "property_mappings",
+            "include_claims_in_id_token",
+            "issuer_mode",
        ]
        widgets = {
            "name": forms.TextInput(),
--- a/authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py
+++ b/authentik/providers/oauth2/migrations/0008_oauth2provider_issuer_mode.py
@ -0,0 +1,28 @@
+# Generated by Django 3.1.4 on 2020-12-27 13:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0007_auto_20201016_1107"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="oauth2provider",
+            name="issuer_mode",
+            field=models.TextField(
+                choices=[
+                    ("global", "Same identifier is used for all providers"),
+                    (
+                        "per_provider",
+                        "Each provider has a different issuer, based on the application slug.",
+                    ),
+                ],
+                default="per_provider",
+                help_text="Configure how the issuer field of the ID Token should be filled.",
+            ),
+        ),
+    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -70,6 +70,15 @@ class SubModes(models.TextChoices):
    )


+class IssuerMode(models.TextChoices):
+    """Configure how the `iss` field is created."""
+
+    GLOBAL = "global", _("Same identifier is used for all providers")
+    PER_PROVIDER = "per_provider", _(
+        "Each provider has a different issuer, based on the application slug."
+    )
+
+
 class ResponseTypes(models.TextChoices):
    """Response Type required by the client."""

@ -193,6 +202,13 @@ class OAuth2Provider(Provider):
            )
        ),
    )
+    issuer_mode = models.TextField(
+        choices=IssuerMode.choices,
+        default=IssuerMode.PER_PROVIDER,
+        help_text=_(
+            ("Configure how the issuer field of the ID Token should be filled.")
+        ),
+    )

    rsa_key = models.ForeignKey(
        CertificateKeyPair,
@ -254,6 +270,8 @@ class OAuth2Provider(Provider):

    def get_issuer(self, request: HttpRequest) -> Optional[str]:
        """Get issuer, based on request"""
+        if self.issuer_mode == IssuerMode.GLOBAL:
+            return request.build_absolute_uri("/")
        try:
            mountpoint = AuthentikProviderOAuth2Config.mountpoints[
                "authentik.providers.oauth2.urls"
--- a/swagger.yaml
+++ b/swagger.yaml
@ -7887,6 +7887,13 @@ definitions:
          type: string
          format: uuid
        uniqueItems: true
+      issuer_mode:
+        title: Issuer mode
+        description: Configure how the issuer field of the ID Token should be filled.
+        type: string
+        enum:
+          - global
+          - per_provider
      verbose_name:
        title: Verbose name
        type: string