trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

providers/oauth2: add additional tracing to token view

Browse source
This commit is contained in:
Jens Langhammer 2022-04-14 16:45:26 +00:00
parent 8242b09394
commit 7561ea15de
1 changed files with 51 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
authentik/providers/oauth2/views/token.py
View file

@ -8,6 +8,7 @@ from django.http import HttpRequest, HttpResponse
from django.utils.timezone import datetime, now from django.utils.timezone import datetime, now
from django.views import View from django.views import View
from jwt import InvalidTokenError, decode from jwt import InvalidTokenError, decode
from sentry_sdk.hub import Hub
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.core.models import ( from authentik.core.models import (
@ -94,16 +95,19 @@ class TokenParams:
) )
def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs): def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
engine = PolicyEngine(app, self.user, request) with Hub.current.start_span(
engine.request.context["oauth_scopes"] = self.scope op="authentik.providers.oauth2.token.policy",
engine.request.context["oauth_grant_type"] = self.grant_type ):
engine.request.context["oauth_code_verifier"] = self.code_verifier engine = PolicyEngine(app, self.user, request)
engine.request.context.update(kwargs) engine.request.context["oauth_scopes"] = self.scope
engine.build() engine.request.context["oauth_grant_type"] = self.grant_type
result = engine.result engine.request.context["oauth_code_verifier"] = self.code_verifier
if not result.passing: engine.request.context.update(kwargs)
LOGGER.info("User not authenticated for application", user=self.user, app=app) engine.build()
raise TokenError("invalid_grant") result = engine.result
if not result.passing:
LOGGER.info("User not authenticated for application", user=self.user, app=app)
raise TokenError("invalid_grant")
def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest): def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
if self.grant_type in [GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN]: if self.grant_type in [GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN]:
@ -118,11 +122,20 @@ class TokenParams:
raise TokenError("invalid_client") raise TokenError("invalid_client")
if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
self.__post_init_code(raw_code) with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.code",
):
self.__post_init_code(raw_code)
elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN: elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
self.__post_init_refresh(raw_token, request) with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.refresh",
):
self.__post_init_refresh(raw_token, request)
elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]: elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
self.__post_init_client_credentials(request) with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.client_credentials",
):
self.__post_init_client_credentials(request)
else: else:
LOGGER.warning("Invalid grant type", grant_type=self.grant_type) LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
raise TokenError("unsupported_grant_type") raise TokenError("unsupported_grant_type")
@ -330,27 +343,33 @@ class TokenView(View):
def post(self, request: HttpRequest) -> HttpResponse: def post(self, request: HttpRequest) -> HttpResponse:
"""Generate tokens for clients""" """Generate tokens for clients"""
try: try:
client_id, client_secret = extract_client_auth(request) with Hub.current.start_span(
try: op="authentik.providers.oauth2.post.parse",
self.provider = OAuth2Provider.objects.get(client_id=client_id) ):
except OAuth2Provider.DoesNotExist: client_id, client_secret = extract_client_auth(request)
LOGGER.warning("OAuth2Provider does not exist", client_id=client_id) try:
raise TokenError("invalid_client") self.provider = OAuth2Provider.objects.get(client_id=client_id)
except OAuth2Provider.DoesNotExist:
LOGGER.warning("OAuth2Provider does not exist", client_id=client_id)
raise TokenError("invalid_client")
if not self.provider: if not self.provider:
raise ValueError raise ValueError
self.params = TokenParams.parse(request, self.provider, client_id, client_secret) self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
if self.params.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: with Hub.current.start_span(
LOGGER.debug("Converting authorization code to refresh token") op="authentik.providers.oauth2.post.response",
return TokenResponse(self.create_code_response()) ):
if self.params.grant_type == GRANT_TYPE_REFRESH_TOKEN: if self.params.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
LOGGER.debug("Refreshing refresh token") LOGGER.debug("Converting authorization code to refresh token")
return TokenResponse(self.create_refresh_response()) return TokenResponse(self.create_code_response())
if self.params.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS: if self.params.grant_type == GRANT_TYPE_REFRESH_TOKEN:
LOGGER.debug("Client credentials grant") LOGGER.debug("Refreshing refresh token")
return TokenResponse(self.create_client_credentials_response()) return TokenResponse(self.create_refresh_response())
raise ValueError(f"Invalid grant_type: {self.params.grant_type}") if self.params.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
LOGGER.debug("Client credentials grant")
return TokenResponse(self.create_client_credentials_response())
raise ValueError(f"Invalid grant_type: {self.params.grant_type}")
except TokenError as error: except TokenError as error:
return TokenResponse(error.create_dict(), status=400) return TokenResponse(error.create_dict(), status=400)
except UserAuthError as error: except UserAuthError as error: