From ec9085ff0654130e66807326233e96fdf2045f8d Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 7 Feb 2023 23:53:50 +0100 Subject: [PATCH] providers/oauth2: don't use policy cache for token requests Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/views/token.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index e171cf379..aa019510a 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -109,6 +109,9 @@ class TokenParams: ): user = self.user if self.user else get_anonymous_user() engine = PolicyEngine(app, user, request) + # Don't cache as for client_credentials flows the user will not be set + # so we'll get generic cache results + engine.use_cache = False engine.request.context["oauth_scopes"] = self.scope engine.request.context["oauth_grant_type"] = self.grant_type engine.request.context["oauth_code_verifier"] = self.code_verifier @@ -322,16 +325,16 @@ class TokenParams: assertion, options={"verify_signature": False} ) except (PyJWTError, ValueError, TypeError, AttributeError) as exc: - LOGGER.warning("failed to parse jwt for kid lookup", exc=exc) + LOGGER.warning("failed to parse JWT for kid lookup", exc=exc) raise TokenError("invalid_grant") expected_kid = decode_unvalidated["header"]["kid"] for source in self.provider.jwks_sources.filter( oidc_jwks__keys__contains=[{"kid": expected_kid}] ): - LOGGER.debug("verifying jwt with source", source=source.slug) + LOGGER.debug("verifying JWT with source", source=source.slug) keys = source.oidc_jwks.get("keys", []) for key in keys: - LOGGER.debug("verifying jwt with key", source=source.slug, key=key.get("kid")) + LOGGER.debug("verifying JWT with key", source=source.slug, key=key.get("kid")) try: parsed_key = PyJWK.from_dict(key) token = decode( @@ -345,13 +348,13 @@ class TokenParams: # AttributeError is raised when the configured JWK is a private key # and not a public key except (PyJWTError, ValueError, TypeError, AttributeError) as exc: - LOGGER.warning("failed to verify jwt", exc=exc, source=source.slug) + LOGGER.warning("failed to verify JWT", exc=exc, source=source.slug) if not token: LOGGER.warning("No token could be verified") raise TokenError("invalid_grant") - LOGGER.debug("successfully verified jwt with source", source=source.slug) + LOGGER.info("successfully verified JWT with source", source=source.slug) if "exp" in token: exp = datetime.fromtimestamp(token["exp"])