From f8f8a9bbb9ab80ad687150cb0404d56c0241cde1 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 10 Apr 2022 16:26:01 +0200 Subject: [PATCH] providers/oauth2: give keypairs private key preference over certificate in client_credentials jwt flow Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/views/token.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 2001ce01c..16d783237 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -19,6 +19,7 @@ from authentik.core.models import ( TokenIntents, User, ) +from authentik.crypto.models import CertificateKeyPair from authentik.events.models import Event, EventAction from authentik.lib.utils.time import timedelta_from_string from authentik.policies.engine import PolicyEngine @@ -261,16 +262,20 @@ class TokenParams: token = None for cert in self.provider.verification_keys.all(): LOGGER.debug("verifying jwt with key", key=cert.name) + cert: CertificateKeyPair + public_key = cert.certificate.public_key() + if cert.private_key: + public_key = cert.private_key.public_key() try: token = decode( assertion, - cert.certificate.public_key(), + public_key, algorithms=[JWTAlgorithms.RS256, JWTAlgorithms.EC256], options={ "verify_aud": False, }, ) - except (InvalidTokenError, ValueError) as last_exc: + except (InvalidTokenError, ValueError, TypeError) as last_exc: LOGGER.warning("failed to validate jwt", last_exc=last_exc) if not token: raise TokenError("invalid_grant")