providers/oauth2: fix "auth_time" being based on user.last_login

2020-12-26 17:54:05 +01:00 · 2020-12-26 17:54:05 +01:00 · 8dddcf891e
parent 319104c39b
commit 8dddcf891e
2 changed files with 7 additions and 3 deletions
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -22,6 +22,7 @@ from rest_framework.serializers import Serializer

 from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User
 from authentik.crypto.models import CertificateKeyPair
+from authentik.events.models import Event, EventAction
 from authentik.lib.utils.template import render_to_string
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.providers.oauth2.apps import AuthentikProviderOAuth2Config
@ -482,8 +483,12 @@ class RefreshToken(ExpiringModel, BaseGrantModel):
        exp_time = int(
            now + timedelta_from_string(self.provider.token_validity).seconds
        )
-        user_auth_time = user.last_login or user.date_joined
-        auth_time = int(dateformat.format(user_auth_time, "U"))
+        # Because this function is called after the AUTHORIZE_APPLICATION Event has been created,
+        # we use the timestamp of that.
+        auth_event = Event.objects.filter(
+            action=EventAction.AUTHORIZE_APPLICATION, user=user
+        ).latest("created")
+        auth_time = int(dateformat.format(auth_event.created, "U"))

        token = IDToken(
            iss=self.provider.get_issuer(request),
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -344,7 +344,6 @@ class AuthorizationFlowInitView(PolicyAccessView):
        try:
            params = OAuthAuthorizationParams.from_request(request)
        except OAuth2Error as error:
-            # pylint: disable=no-member
            return bad_request_message(request, error.description, title=error.error)
        except OAuth2Provider.DoesNotExist:
            raise Http404