providers/oauth2: add password grant support (treated as client_credentials)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-03-31 18:02:17 +02:00 · 2022-03-31 18:02:17 +02:00 · 8689444954
parent 4210f692ff
commit 8689444954
4 changed files with 11 additions and 8 deletions
--- a/authentik/providers/oauth2/constants.py
+++ b/authentik/providers/oauth2/constants.py
@ -1,8 +1,10 @@
 """OAuth/OpenID Constants"""

 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
+GRANT_TYPE_IMPLICIT = "implicit"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
+GRANT_TYPE_PASSWORD = "password"  # nosec

 CLIENT_ASSERTION_TYPE = "client_assertion_type"
 CLIENT_ASSERTION = "client_assertion"
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -11,15 +11,12 @@ from authentik.providers.oauth2.constants import (
    ACR_AUTHENTIK_DEFAULT,
    GRANT_TYPE_AUTHORIZATION_CODE,
    GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_IMPLICIT,
+    GRANT_TYPE_PASSWORD,
    GRANT_TYPE_REFRESH_TOKEN,
    SCOPE_OPENID,
 )
-from authentik.providers.oauth2.models import (
-    GrantTypes,
-    OAuth2Provider,
-    ResponseTypes,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping
 from authentik.providers.oauth2.utils import cors_allow

 LOGGER = get_logger()
@ -78,8 +75,9 @@ class ProviderInfoView(View):
            "grant_types_supported": [
                GRANT_TYPE_AUTHORIZATION_CODE,
                GRANT_TYPE_REFRESH_TOKEN,
-                GrantTypes.IMPLICIT,
+                GRANT_TYPE_IMPLICIT,
                GRANT_TYPE_CLIENT_CREDENTIALS,
+                GRANT_TYPE_PASSWORD,
            ],
            "id_token_signing_alg_values_supported": [supported_alg],
            # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -28,6 +28,7 @@ from authentik.providers.oauth2.constants import (
    CLIENT_ASSERTION_TYPE_JWT,
    GRANT_TYPE_AUTHORIZATION_CODE,
    GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_PASSWORD,
    GRANT_TYPE_REFRESH_TOKEN,
 )
 from authentik.providers.oauth2.errors import TokenError, UserAuthError
@ -108,7 +109,7 @@ class TokenParams:
            self.__post_init_code(raw_code)
        elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
            self.__post_init_refresh(raw_token, request)
-        elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
+        elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
            self.__post_init_client_credentials(request)
        else:
            LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
--- a/website/docs/providers/oauth2/client_credentials.md
+++ b/website/docs/providers/oauth2/client_credentials.md
@ -2,6 +2,8 @@

 Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.

+Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant.
+
 ### Static authentication

 Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.