providers/oauth2: give keypairs private key preference over certificate in client_credentials jwt flow

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-04-10 16:26:01 +02:00
parent 7a44d5768a
commit f8f8a9bbb9
1 changed files with 7 additions and 2 deletions

View File

@ -19,6 +19,7 @@ from authentik.core.models import (
TokenIntents, TokenIntents,
User, User,
) )
from authentik.crypto.models import CertificateKeyPair
from authentik.events.models import Event, EventAction from authentik.events.models import Event, EventAction
from authentik.lib.utils.time import timedelta_from_string from authentik.lib.utils.time import timedelta_from_string
from authentik.policies.engine import PolicyEngine from authentik.policies.engine import PolicyEngine
@ -261,16 +262,20 @@ class TokenParams:
token = None token = None
for cert in self.provider.verification_keys.all(): for cert in self.provider.verification_keys.all():
LOGGER.debug("verifying jwt with key", key=cert.name) LOGGER.debug("verifying jwt with key", key=cert.name)
cert: CertificateKeyPair
public_key = cert.certificate.public_key()
if cert.private_key:
public_key = cert.private_key.public_key()
try: try:
token = decode( token = decode(
assertion, assertion,
cert.certificate.public_key(), public_key,
algorithms=[JWTAlgorithms.RS256, JWTAlgorithms.EC256], algorithms=[JWTAlgorithms.RS256, JWTAlgorithms.EC256],
options={ options={
"verify_aud": False, "verify_aud": False,
}, },
) )
except (InvalidTokenError, ValueError) as last_exc: except (InvalidTokenError, ValueError, TypeError) as last_exc:
LOGGER.warning("failed to validate jwt", last_exc=last_exc) LOGGER.warning("failed to validate jwt", last_exc=last_exc)
if not token: if not token:
raise TokenError("invalid_grant") raise TokenError("invalid_grant")