providers/oauth2: don't force service accounts for client_credentials flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-04-12 10:23:23 +02:00
parent b4fb0190a3
commit e84b17d550

View file

@ -13,7 +13,6 @@ from structlog.stdlib import get_logger
from authentik.core.models import ( from authentik.core.models import (
USER_ATTRIBUTE_EXPIRES, USER_ATTRIBUTE_EXPIRES,
USER_ATTRIBUTE_GENERATED, USER_ATTRIBUTE_GENERATED,
USER_ATTRIBUTE_SA,
Application, Application,
Token, Token,
TokenIntents, TokenIntents,
@ -229,10 +228,6 @@ class TokenParams:
if not token or token.user.uid != user.uid: if not token or token.user.uid != user.uid:
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
self.user = user self.user = user
if not self.user.attributes.get(USER_ATTRIBUTE_SA, False):
# Non-service accounts are not allowed
LOGGER.info("Non-service-account tried to use client credentials", user=self.user)
raise TokenError("invalid_grant")
Event.new( Event.new(
action=EventAction.LOGIN, action=EventAction.LOGIN,