From d2dd7d13669cb9fe5e39ea02893bf24f378373a6 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 17 Apr 2021 19:06:12 +0200 Subject: [PATCH] sources/oauth: fix redirect loop for source with non-configurable URLs Signed-off-by: Jens Langhammer --- authentik/sources/oauth/clients/base.py | 12 +++++++++++- authentik/sources/oauth/clients/oauth1.py | 10 ++++++++-- authentik/sources/oauth/clients/oauth2.py | 5 ++++- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/authentik/sources/oauth/clients/base.py b/authentik/sources/oauth/clients/base.py index 4b81eb50b..0f4be42b1 100644 --- a/authentik/sources/oauth/clients/base.py +++ b/authentik/sources/oauth/clients/base.py @@ -9,6 +9,7 @@ from requests.models import Response from structlog.stdlib import get_logger from authentik import __version__ +from authentik.events.models import Event, EventAction from authentik.sources.oauth.models import OAuthSource LOGGER = get_logger() @@ -59,7 +60,16 @@ class BaseOAuthClient: args.update(additional) params = urlencode(args) LOGGER.info("redirect args", **args) - return f"{self.source.authorization_url}?{params}" + base_url = self.source.authorization_url + if not self.source.type.urls_customizable: + base_url = self.source.type.authorization_url + if base_url == "": + Event.new( + EventAction.CONFIGURATION_ERROR, + source=self.source, + message="Source has an empty authorization URL.", + ).save() + return f"{base_url}?{params}" def parse_raw_token(self, raw_token: str) -> dict[str, Any]: "Parse token and secret from raw token response." diff --git a/authentik/sources/oauth/clients/oauth1.py b/authentik/sources/oauth/clients/oauth1.py index 191dc9b65..1c8fec181 100644 --- a/authentik/sources/oauth/clients/oauth1.py +++ b/authentik/sources/oauth/clients/oauth1.py @@ -28,9 +28,12 @@ class OAuthClient(BaseOAuthClient): if raw_token is not None and verifier is not None: token = self.parse_raw_token(raw_token) try: + access_token_url: str = self.source.access_token_url + if not self.source.type.urls_customizable: + access_token_url = self.source.type.access_token_url or "" response = self.do_request( "post", - self.source.access_token_url, + access_token_url, token=token, headers=self._default_headers, oauth_verifier=verifier, @@ -48,9 +51,12 @@ class OAuthClient(BaseOAuthClient): "Fetch the OAuth request token. Only required for OAuth 1.0." callback = self.request.build_absolute_uri(self.callback) try: + request_token_url: str = self.source.request_token_url + if not self.source.type.urls_customizable: + request_token_url = self.source.type.request_token_url or "" response = self.do_request( "post", - self.source.request_token_url, + request_token_url, headers=self._default_headers, oauth_callback=callback, ) diff --git a/authentik/sources/oauth/clients/oauth2.py b/authentik/sources/oauth/clients/oauth2.py index 968f919cc..92dd34039 100644 --- a/authentik/sources/oauth/clients/oauth2.py +++ b/authentik/sources/oauth/clients/oauth2.py @@ -56,9 +56,12 @@ class OAuth2Client(BaseOAuthClient): LOGGER.warning("No code returned by the source") return None try: + access_token_url = self.source.access_token_url + if not self.source.type.urls_customizable: + access_token_url = self.source.type.access_token_url or "" response = self.session.request( "post", - self.source.access_token_url, + access_token_url, data=args, headers=self._default_headers, )