Compare commits
1 commit
trustchain
...
sources/oa
Author | SHA1 | Date | |
---|---|---|---|
d9428dc104 |
17
authentik/core/migrations/0032_alter_group_name.py
Normal file
17
authentik/core/migrations/0032_alter_group_name.py
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Generated by Django 4.1.10 on 2023-07-30 14:48
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
("authentik_core", "0031_alter_user_type"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterField(
|
||||
model_name="group",
|
||||
name="name",
|
||||
field=models.TextField(verbose_name="name"),
|
||||
),
|
||||
]
|
|
@ -83,7 +83,7 @@ class Group(SerializerModel):
|
|||
|
||||
group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
|
||||
|
||||
name = models.CharField(_("name"), max_length=80)
|
||||
name = models.TextField(_("name"))
|
||||
is_superuser = models.BooleanField(
|
||||
default=False, help_text=_("Users added to this group will be superusers.")
|
||||
)
|
||||
|
|
|
@ -220,7 +220,7 @@ class SourceFlowManager:
|
|||
flow: Flow,
|
||||
connection: UserSourceConnection,
|
||||
stages: Optional[list[StageView]] = None,
|
||||
**kwargs,
|
||||
**flow_context,
|
||||
) -> HttpResponse:
|
||||
"""Prepare Authentication Plan, redirect user FlowExecutor"""
|
||||
# Ensure redirect is carried through when user was trying to
|
||||
|
@ -228,7 +228,7 @@ class SourceFlowManager:
|
|||
final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
|
||||
NEXT_ARG_NAME, "authentik_core:if-user"
|
||||
)
|
||||
kwargs.update(
|
||||
flow_context.update(
|
||||
{
|
||||
# Since we authenticate the user by their token, they have no backend set
|
||||
PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
|
||||
|
@ -238,7 +238,7 @@ class SourceFlowManager:
|
|||
PLAN_CONTEXT_SOURCES_CONNECTION: connection,
|
||||
}
|
||||
)
|
||||
kwargs.update(self.policy_context)
|
||||
flow_context.update(self.policy_context)
|
||||
if not flow:
|
||||
return bad_request_message(
|
||||
self.request,
|
||||
|
@ -246,7 +246,7 @@ class SourceFlowManager:
|
|||
)
|
||||
# We run the Flow planner here so we can pass the Pending user in the context
|
||||
planner = FlowPlanner(flow)
|
||||
plan = planner.plan(self.request, kwargs)
|
||||
plan = planner.plan(self.request, flow_context)
|
||||
for stage in self.get_stages_to_append(flow):
|
||||
plan.append_stage(stage)
|
||||
if stages:
|
||||
|
|
|
@ -105,6 +105,7 @@ class OAuthSourceSerializer(SourceSerializer):
|
|||
"consumer_secret",
|
||||
"callback_url",
|
||||
"additional_scopes",
|
||||
"groups_claim",
|
||||
"type",
|
||||
"oidc_well_known_url",
|
||||
"oidc_jwks_url",
|
||||
|
@ -137,6 +138,7 @@ class OAuthSourceFilter(FilterSet):
|
|||
"authorization_url",
|
||||
"access_token_url",
|
||||
"profile_url",
|
||||
"groups_claim",
|
||||
"consumer_key",
|
||||
"additional_scopes",
|
||||
]
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
# Generated by Django 4.1.10 on 2023-07-30 14:48
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
dependencies = [
|
||||
(
|
||||
"authentik_sources_oauth",
|
||||
"0007_oauthsource_oidc_jwks_oauthsource_oidc_jwks_url_and_more",
|
||||
),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name="oauthsource",
|
||||
name="groups_claim",
|
||||
field=models.TextField(
|
||||
default=None,
|
||||
help_text="Sync groups and group membership from the source. Only use this option with sources that you control, as otherwise unwanted users might get added to groups with superuser permissions.",
|
||||
null=True,
|
||||
),
|
||||
),
|
||||
]
|
|
@ -54,6 +54,16 @@ class OAuthSource(Source):
|
|||
oidc_jwks_url = models.TextField(default="", blank=True)
|
||||
oidc_jwks = models.JSONField(default=dict, blank=True)
|
||||
|
||||
groups_claim = models.TextField(
|
||||
default=None,
|
||||
null=True,
|
||||
help_text=_(
|
||||
"Sync groups and group membership from the source. Only use this option with "
|
||||
"sources that you control, as otherwise unwanted users might get added to "
|
||||
"groups with superuser permissions."
|
||||
),
|
||||
)
|
||||
|
||||
@property
|
||||
def type(self) -> type["SourceType"]:
|
||||
"""Return the provider instance for this source"""
|
||||
|
|
|
@ -14,6 +14,10 @@ OPENID_USER = {
|
|||
"department": "Engineering",
|
||||
"birthdate": "1975-12-31",
|
||||
"nickname": "foo",
|
||||
"groups": [
|
||||
"foo",
|
||||
"bar",
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
|
@ -28,6 +32,7 @@ class TestTypeOpenID(TestCase):
|
|||
authorization_url="",
|
||||
profile_url="http://localhost/userinfo",
|
||||
consumer_key="",
|
||||
groups_claim="groups",
|
||||
)
|
||||
self.factory = RequestFactory()
|
||||
|
||||
|
|
|
@ -35,6 +35,9 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
|
|||
"name": info.get("name"),
|
||||
}
|
||||
|
||||
def get_user_group_names(self, info: dict[str, Any]) -> list[str]:
|
||||
return info.get(self.source.groups_claim, [])
|
||||
|
||||
|
||||
@registry.register()
|
||||
class OpenIDConnectType(SourceType):
|
||||
|
|
|
@ -10,12 +10,17 @@ from django.utils.translation import gettext as _
|
|||
from django.views.generic import View
|
||||
from structlog.stdlib import get_logger
|
||||
|
||||
from authentik.core.models import Group, User
|
||||
from authentik.core.sources.flow_manager import SourceFlowManager
|
||||
from authentik.events.models import Event, EventAction
|
||||
from authentik.flows.models import Flow, Stage, in_memory_stage
|
||||
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
|
||||
from authentik.flows.stage import StageView
|
||||
from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
|
||||
from authentik.sources.oauth.views.base import OAuthClientMixin
|
||||
|
||||
LOGGER = get_logger()
|
||||
PLAN_CONTEXT_GROUPS = "goauthentik.io/sources/oauth/groups"
|
||||
|
||||
|
||||
class OAuthCallback(OAuthClientMixin, View):
|
||||
|
@ -59,13 +64,17 @@ class OAuthCallback(OAuthClientMixin, View):
|
|||
return self.handle_login_failure("Could not determine id.")
|
||||
# Get or create access record
|
||||
enroll_info = self.get_user_enroll_context(raw_info)
|
||||
group_info = self.get_user_group_names(raw_info)
|
||||
sfm = OAuthSourceFlowManager(
|
||||
source=self.source,
|
||||
request=self.request,
|
||||
identifier=identifier,
|
||||
enroll_info=enroll_info,
|
||||
)
|
||||
sfm.policy_context = {"oauth_userinfo": raw_info}
|
||||
sfm.policy_context = {
|
||||
"oauth_userinfo": raw_info,
|
||||
PLAN_CONTEXT_GROUPS: group_info,
|
||||
}
|
||||
return sfm.get_flow(
|
||||
access_token=self.token.get("access_token"),
|
||||
)
|
||||
|
@ -85,6 +94,10 @@ class OAuthCallback(OAuthClientMixin, View):
|
|||
"""Create a dict of User data"""
|
||||
raise NotImplementedError()
|
||||
|
||||
def get_user_group_names(self, info: dict[str, Any]) -> list[str]:
|
||||
"""Return a list of all groups the user is member of"""
|
||||
return []
|
||||
|
||||
def get_user_id(self, info: dict[str, Any]) -> Optional[str]:
|
||||
"""Return unique identifier from the profile info."""
|
||||
if "id" in info:
|
||||
|
@ -111,6 +124,13 @@ class OAuthSourceFlowManager(SourceFlowManager):
|
|||
|
||||
connection_type = UserOAuthSourceConnection
|
||||
|
||||
def get_stages_to_append(self, flow: Flow) -> list[Stage]:
|
||||
return super().get_stages_to_append(flow) + [
|
||||
# Always run this stage after the default `PostUserEnrollmentStage` stage
|
||||
# as it relies on the user object existing
|
||||
in_memory_stage(OAuthUserUpdateStage),
|
||||
]
|
||||
|
||||
def update_connection(
|
||||
self,
|
||||
connection: UserOAuthSourceConnection,
|
||||
|
@ -119,3 +139,24 @@ class OAuthSourceFlowManager(SourceFlowManager):
|
|||
"""Set the access_token on the connection"""
|
||||
connection.access_token = access_token
|
||||
return connection
|
||||
|
||||
|
||||
class OAuthUserUpdateStage(StageView):
|
||||
"""Dynamically injected stage which updates the user after enrollment/authentication."""
|
||||
|
||||
def handle_groups(self):
|
||||
"""Sync users' groups from oauth data"""
|
||||
user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
|
||||
group_names: list[str] = self.executor.plan.context[PLAN_CONTEXT_GROUPS]
|
||||
for group_name in group_names:
|
||||
Group.objects.update_or_create(name=group_name, defaults={})
|
||||
user.ak_groups.set(Group.objects.filter(name__in=[group_names]))
|
||||
|
||||
def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
|
||||
"""Stage used after the user has been enrolled"""
|
||||
self.handle_groups()
|
||||
return self.executor.stage_ok()
|
||||
|
||||
def post(self, request: HttpRequest) -> HttpResponse:
|
||||
"""Wrapper for post requests"""
|
||||
return self.get(request)
|
||||
|
|
|
@ -5117,6 +5117,15 @@
|
|||
"type": "string",
|
||||
"title": "Additional Scopes"
|
||||
},
|
||||
"groups_claim": {
|
||||
"type": [
|
||||
"string",
|
||||
"null"
|
||||
],
|
||||
"minLength": 1,
|
||||
"title": "Groups claim",
|
||||
"description": "Sync groups and group membership from the source. Only use this option with sources that you control, as otherwise unwanted users might get added to groups with superuser permissions."
|
||||
},
|
||||
"oidc_well_known_url": {
|
||||
"type": "string",
|
||||
"title": "Oidc well known url"
|
||||
|
@ -8305,7 +8314,6 @@
|
|||
"properties": {
|
||||
"name": {
|
||||
"type": "string",
|
||||
"maxLength": 80,
|
||||
"minLength": 1,
|
||||
"title": "Name"
|
||||
},
|
||||
|
|
29
schema.yml
29
schema.yml
|
@ -17943,6 +17943,10 @@ paths:
|
|||
schema:
|
||||
type: string
|
||||
format: uuid
|
||||
- in: query
|
||||
name: groups_claim
|
||||
schema:
|
||||
type: string
|
||||
- in: query
|
||||
name: has_jwks
|
||||
schema:
|
||||
|
@ -30470,7 +30474,6 @@ components:
|
|||
readOnly: true
|
||||
name:
|
||||
type: string
|
||||
maxLength: 80
|
||||
is_superuser:
|
||||
type: boolean
|
||||
description: Users added to this group will be superusers.
|
||||
|
@ -30583,7 +30586,6 @@ components:
|
|||
name:
|
||||
type: string
|
||||
minLength: 1
|
||||
maxLength: 80
|
||||
is_superuser:
|
||||
type: boolean
|
||||
description: Users added to this group will be superusers.
|
||||
|
@ -32649,6 +32651,12 @@ components:
|
|||
readOnly: true
|
||||
additional_scopes:
|
||||
type: string
|
||||
groups_claim:
|
||||
type: string
|
||||
nullable: true
|
||||
description: Sync groups and group membership from the source. Only use
|
||||
this option with sources that you control, as otherwise unwanted users
|
||||
might get added to groups with superuser permissions.
|
||||
type:
|
||||
allOf:
|
||||
- $ref: '#/components/schemas/SourceType'
|
||||
|
@ -32752,6 +32760,13 @@ components:
|
|||
minLength: 1
|
||||
additional_scopes:
|
||||
type: string
|
||||
groups_claim:
|
||||
type: string
|
||||
nullable: true
|
||||
minLength: 1
|
||||
description: Sync groups and group membership from the source. Only use
|
||||
this option with sources that you control, as otherwise unwanted users
|
||||
might get added to groups with superuser permissions.
|
||||
oidc_well_known_url:
|
||||
type: string
|
||||
oidc_jwks_url:
|
||||
|
@ -36979,7 +36994,6 @@ components:
|
|||
name:
|
||||
type: string
|
||||
minLength: 1
|
||||
maxLength: 80
|
||||
is_superuser:
|
||||
type: boolean
|
||||
description: Users added to this group will be superusers.
|
||||
|
@ -37560,6 +37574,13 @@ components:
|
|||
minLength: 1
|
||||
additional_scopes:
|
||||
type: string
|
||||
groups_claim:
|
||||
type: string
|
||||
nullable: true
|
||||
minLength: 1
|
||||
description: Sync groups and group membership from the source. Only use
|
||||
this option with sources that you control, as otherwise unwanted users
|
||||
might get added to groups with superuser permissions.
|
||||
oidc_well_known_url:
|
||||
type: string
|
||||
oidc_jwks_url:
|
||||
|
@ -42029,7 +42050,6 @@ components:
|
|||
readOnly: true
|
||||
name:
|
||||
type: string
|
||||
maxLength: 80
|
||||
is_superuser:
|
||||
type: boolean
|
||||
description: Users added to this group will be superusers.
|
||||
|
@ -42055,7 +42075,6 @@ components:
|
|||
name:
|
||||
type: string
|
||||
minLength: 1
|
||||
maxLength: 80
|
||||
is_superuser:
|
||||
type: boolean
|
||||
description: Users added to this group will be superusers.
|
||||
|
|
|
@ -70,6 +70,9 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
|
|||
|
||||
async send(data: OAuthSource): Promise<OAuthSource> {
|
||||
data.providerType = (this.providerType?.slug || "") as ProviderTypeEnum;
|
||||
if (data.groupsClaim === "") {
|
||||
data.groupsClaim = null;
|
||||
}
|
||||
let source: OAuthSource;
|
||||
if (this.instance) {
|
||||
source = await new SourcesApi(DEFAULT_CONFIG).sourcesOauthPartialUpdate({
|
||||
|
@ -185,6 +188,7 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
|
|||
: html``}
|
||||
${this.providerType.slug === ProviderTypeEnum.Openidconnect
|
||||
? html`
|
||||
|
||||
<ak-form-element-horizontal
|
||||
label=${msg("OIDC Well-known URL")}
|
||||
name="oidcWellKnownUrl"
|
||||
|
@ -216,6 +220,21 @@ export class OAuthSourceForm extends ModelForm<OAuthSource, string> {
|
|||
</p>
|
||||
</ak-form-element-horizontal>
|
||||
|
||||
<ak-form-element-horizontal
|
||||
label=${msg("OIDC Groups claim")}
|
||||
name="groupsClaim"
|
||||
>
|
||||
<input
|
||||
type="text"
|
||||
value="${first(this.instance?.groupsClaim, "")}"
|
||||
class="pf-c-form-control"
|
||||
/>
|
||||
<p class="pf-c-form__helper-text">
|
||||
${msg(
|
||||
"Sync groups and group membership from the source. Only use this option with sources that you control, as otherwise unwanted users might get added to groups with superuser permissions.",
|
||||
)}
|
||||
</p>
|
||||
</ak-form-element-horizontal>
|
||||
<ak-form-element-horizontal label=${msg("OIDC JWKS")} name="oidcJwks">
|
||||
<ak-codemirror
|
||||
mode="javascript"
|
||||
|
|
Reference in a new issue