providers/oauth2: use guardian anonymous user to get claims for provider info

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-14 19:53:43 +01:00
parent d37de6bc00
commit 67d1f06c91
No known key found for this signature in database
2 changed files with 10 additions and 6 deletions

View file

@ -5,7 +5,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
from django.shortcuts import get_object_or_404, reverse
from django.views import View
from structlog.stdlib import get_logger
from guardian.shortcuts import get_anonymous_user
from authentik.core.exceptions import PropertyMappingExpressionException
from authentik.core.models import Application
from authentik.providers.oauth2.constants import (
@ -130,7 +130,7 @@ class ProviderInfoView(View):
value = None
try:
value = scope.evaluate(
user=self.request.user,
user=get_anonymous_user(),
request=self.request,
provider=provider,
)

View file

@ -112,7 +112,9 @@ class TokenParams:
engine.build()
result = engine.result
if not result.passing:
LOGGER.info("User not authenticated for application", user=self.user, app=app)
LOGGER.info(
"User not authenticated for application", user=self.user, app_slug=app.slug
)
raise TokenError("invalid_grant")
def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
@ -303,10 +305,10 @@ class TokenParams:
source: Optional[OAuthSource] = None
parsed_key: Optional[PyJWK] = None
for source in self.provider.jwks_sources.all():
LOGGER.debug("verifying jwt with source", source=source.name)
LOGGER.debug("verifying jwt with source", source=source.slug)
keys = source.oidc_jwks.get("keys", [])
for key in keys:
LOGGER.debug("verifying jwt with key", source=source.name, key=key.get("kid"))
LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid"))
try:
parsed_key = PyJWK.from_dict(key)
token = decode(
@ -320,12 +322,14 @@ class TokenParams:
# AttributeError is raised when the configured JWK is a private key
# and not a public key
except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
LOGGER.warning("failed to validate jwt", exc=exc)
LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug)
if not token:
LOGGER.warning("No token could be verified")
raise TokenError("invalid_grant")
LOGGER.debug("successfully verified jwt with source", source=source.slug)
if "exp" in token:
exp = datetime.fromtimestamp(token["exp"])
# Non-timezone aware check since we assume `exp` is in UTC