From a728dad1661d182b17fd8e3f7d2e3fbb2b0fa698 Mon Sep 17 00:00:00 2001 From: Jens L Date: Sat, 22 Jul 2023 01:36:55 +0200 Subject: [PATCH] providers/oauth2: fix grant_type password raising an exception (#6333) --- .../core/migrations/0031_alter_user_type.py | 1 + .../providers/oauth2/tests/test_token_cc.py | 26 +++++++++++++++++++ authentik/providers/oauth2/views/token.py | 6 ++--- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/authentik/core/migrations/0031_alter_user_type.py b/authentik/core/migrations/0031_alter_user_type.py index 9140a4e39..b0f83b41c 100644 --- a/authentik/core/migrations/0031_alter_user_type.py +++ b/authentik/core/migrations/0031_alter_user_type.py @@ -17,6 +17,7 @@ def migrate_user_type_v2(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): user.type = UserTypes.INTERNAL user.save() + class Migration(migrations.Migration): dependencies = [ ("authentik_core", "0030_user_type"), diff --git a/authentik/providers/oauth2/tests/test_token_cc.py b/authentik/providers/oauth2/tests/test_token_cc.py index 7dc086ba0..8becccb95 100644 --- a/authentik/providers/oauth2/tests/test_token_cc.py +++ b/authentik/providers/oauth2/tests/test_token_cc.py @@ -11,6 +11,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_cert, from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_PASSWORD, SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE, @@ -150,3 +151,28 @@ class TestTokenClientCredentials(OAuthTestCase): ) self.assertEqual(jwt["given_name"], self.user.name) self.assertEqual(jwt["preferred_username"], self.user.username) + + def test_successful_password(self): + """test successful (password grant)""" + response = self.client.post( + reverse("authentik_providers_oauth2:token"), + { + "grant_type": GRANT_TYPE_PASSWORD, + "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", + "client_id": self.provider.client_id, + "username": "sa", + "password": self.token.key, + }, + ) + self.assertEqual(response.status_code, 200) + body = loads(response.content.decode()) + self.assertEqual(body["token_type"], TOKEN_TYPE) + _, alg = self.provider.jwt_key + jwt = decode( + body["access_token"], + key=self.provider.signing_key.public_key, + algorithms=[alg], + audience=self.provider.client_id, + ) + self.assertEqual(jwt["given_name"], self.user.name) + self.assertEqual(jwt["preferred_username"], self.user.username) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 0e4a50238..dc08eb526 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -459,13 +459,13 @@ class TokenView(View): if self.params.grant_type == GRANT_TYPE_REFRESH_TOKEN: LOGGER.debug("Refreshing refresh token") return TokenResponse(self.create_refresh_response()) - if self.params.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS: - LOGGER.debug("Client credentials grant") + if self.params.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]: + LOGGER.debug("Client credentials/password grant") return TokenResponse(self.create_client_credentials_response()) if self.params.grant_type == GRANT_TYPE_DEVICE_CODE: LOGGER.debug("Device code grant") return TokenResponse(self.create_device_code_response()) - raise ValueError(f"Invalid grant_type: {self.params.grant_type}") + raise TokenError("unsupported_grant_type") except (TokenError, DeviceCodeError) as error: return TokenResponse(error.create_dict(), status=400) except UserAuthError as error: