providers/oauth2: remember session_id from initial token (cherry-pick #7976) (#7977)

providers/oauth2: remember session_id from initial token (#7976)

* providers/oauth2: remember session_id original token was created with for future access/refresh tokens



* providers/proxy: use hashed session as `sid`



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>
This commit is contained in:
gcp-cherry-pick-bot[bot] 2023-12-23 01:20:48 +01:00 committed by GitHub
parent 4776d2bcc5
commit 9c8fec21cf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 41 additions and 2 deletions

View file

@ -0,0 +1,27 @@
# Generated by Django 5.0 on 2023-12-22 23:20
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_providers_oauth2", "0016_alter_refreshtoken_token"),
]
operations = [
migrations.AddField(
model_name="accesstoken",
name="session_id",
field=models.CharField(blank=True, default=""),
),
migrations.AddField(
model_name="authorizationcode",
name="session_id",
field=models.CharField(blank=True, default=""),
),
migrations.AddField(
model_name="refreshtoken",
name="session_id",
field=models.CharField(blank=True, default=""),
),
]

View file

@ -296,6 +296,7 @@ class BaseGrantModel(models.Model):
revoked = models.BooleanField(default=False) revoked = models.BooleanField(default=False)
_scope = models.TextField(default="", verbose_name=_("Scopes")) _scope = models.TextField(default="", verbose_name=_("Scopes"))
auth_time = models.DateTimeField(verbose_name="Authentication time") auth_time = models.DateTimeField(verbose_name="Authentication time")
session_id = models.CharField(default="", blank=True)
@property @property
def scope(self) -> list[str]: def scope(self) -> list[str]:

View file

@ -1,6 +1,7 @@
"""authentik OAuth2 Authorization views""" """authentik OAuth2 Authorization views"""
from dataclasses import dataclass, field from dataclasses import dataclass, field
from datetime import timedelta from datetime import timedelta
from hashlib import sha256
from json import dumps from json import dumps
from re import error as RegexError from re import error as RegexError
from re import fullmatch from re import fullmatch
@ -282,6 +283,7 @@ class OAuthAuthorizationParams:
expires=now + timedelta_from_string(self.provider.access_code_validity), expires=now + timedelta_from_string(self.provider.access_code_validity),
scope=self.scope, scope=self.scope,
nonce=self.nonce, nonce=self.nonce,
session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(),
) )
if self.code_challenge and self.code_challenge_method: if self.code_challenge and self.code_challenge_method:
@ -569,6 +571,7 @@ class OAuthFulfillmentStage(StageView):
expires=access_token_expiry, expires=access_token_expiry,
provider=self.provider, provider=self.provider,
auth_time=auth_event.created if auth_event else now, auth_time=auth_event.created if auth_event else now,
session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(),
) )
id_token = IDToken.new(self.provider, token, self.request) id_token = IDToken.new(self.provider, token, self.request)

View file

@ -487,6 +487,7 @@ class TokenView(View):
# Keep same scopes as previous token # Keep same scopes as previous token
scope=self.params.authorization_code.scope, scope=self.params.authorization_code.scope,
auth_time=self.params.authorization_code.auth_time, auth_time=self.params.authorization_code.auth_time,
session_id=self.params.authorization_code.session_id,
) )
access_token.id_token = IDToken.new( access_token.id_token = IDToken.new(
self.provider, self.provider,
@ -502,6 +503,7 @@ class TokenView(View):
expires=refresh_token_expiry, expires=refresh_token_expiry,
provider=self.provider, provider=self.provider,
auth_time=self.params.authorization_code.auth_time, auth_time=self.params.authorization_code.auth_time,
session_id=self.params.authorization_code.session_id,
) )
id_token = IDToken.new( id_token = IDToken.new(
self.provider, self.provider,
@ -539,6 +541,7 @@ class TokenView(View):
# Keep same scopes as previous token # Keep same scopes as previous token
scope=self.params.refresh_token.scope, scope=self.params.refresh_token.scope,
auth_time=self.params.refresh_token.auth_time, auth_time=self.params.refresh_token.auth_time,
session_id=self.params.refresh_token.session_id,
) )
access_token.id_token = IDToken.new( access_token.id_token = IDToken.new(
self.provider, self.provider,
@ -554,6 +557,7 @@ class TokenView(View):
expires=refresh_token_expiry, expires=refresh_token_expiry,
provider=self.provider, provider=self.provider,
auth_time=self.params.refresh_token.auth_time, auth_time=self.params.refresh_token.auth_time,
session_id=self.params.refresh_token.session_id,
) )
id_token = IDToken.new( id_token = IDToken.new(
self.provider, self.provider,

View file

@ -1,4 +1,6 @@
"""proxy provider tasks""" """proxy provider tasks"""
from hashlib import sha256
from asgiref.sync import async_to_sync from asgiref.sync import async_to_sync
from channels.layers import get_channel_layer from channels.layers import get_channel_layer
from django.db import DatabaseError, InternalError, ProgrammingError from django.db import DatabaseError, InternalError, ProgrammingError
@ -23,6 +25,7 @@ def proxy_set_defaults():
def proxy_on_logout(session_id: str): def proxy_on_logout(session_id: str):
"""Update outpost instances connected to a single outpost""" """Update outpost instances connected to a single outpost"""
layer = get_channel_layer() layer = get_channel_layer()
hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
for outpost in Outpost.objects.filter(type=OutpostType.PROXY): for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)} group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
async_to_sync(layer.group_send)( async_to_sync(layer.group_send)(
@ -30,6 +33,6 @@ def proxy_on_logout(session_id: str):
{ {
"type": "event.provider.specific", "type": "event.provider.specific",
"sub_type": "logout", "sub_type": "logout",
"session_id": session_id, "session_id": hashed_session_id,
}, },
) )

View file

@ -15,7 +15,7 @@ entries:
# This mapping is used by the authentik proxy. It passes extra user attributes, # This mapping is used by the authentik proxy. It passes extra user attributes,
# which are used for example for the HTTP-Basic Authentication mapping. # which are used for example for the HTTP-Basic Authentication mapping.
return { return {
"sid": request.http_request.session.session_key, "sid": token.session_id,
"ak_proxy": { "ak_proxy": {
"user_attributes": request.user.group_attributes(request), "user_attributes": request.user.group_attributes(request),
"is_superuser": request.user.is_superuser, "is_superuser": request.user.is_superuser,

View file

@ -36,6 +36,7 @@ func (ps *ProxyServer) handleWSMessage(ctx context.Context, args map[string]inte
switch msg.SubType { switch msg.SubType {
case WSProviderSubTypeLogout: case WSProviderSubTypeLogout:
for _, p := range ps.apps { for _, p := range ps.apps {
ps.log.WithField("provider", p.Host).Debug("Logging out")
err := p.Logout(ctx, func(c application.Claims) bool { err := p.Logout(ctx, func(c application.Claims) bool {
return c.Sid == msg.SessionID return c.Sid == msg.SessionID
}) })