authentik/sources/oauth/api/source.py

@@ -56,7 +56,6 @@ class OAuthSourceSerializer(SourceSerializer):
         """Get source's type configuration"""
         return SourceTypeSerializer(instance.source_type).data
 
-    # pylint: disable=too-many-locals
     def validate(self, attrs: dict) -> dict:
         session = get_http_session()
         source_type = registry.find_type(attrs["provider_type"])
@@ -74,17 +73,9 @@ class OAuthSourceSerializer(SourceSerializer):
             config = well_known_config.json()
             if "issuer" not in config:
                 raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
-            field_map = {
-                # authentik field to oidc field
-                "authorization_url": "authorization_endpoint",
-                "access_token_url": "token_endpoint",
-                "profile_url": "userinfo_endpoint",
-            }
-            for ak_key, oidc_key in field_map.items():
-                # Don't overwrite user-set values
-                if ak_key in attrs and attrs[ak_key]:
-                    continue
-                attrs[ak_key] = config.get(oidc_key, "")
+            attrs["authorization_url"] = config.get("authorization_endpoint", "")
+            attrs["access_token_url"] = config.get("token_endpoint", "")
+            attrs["profile_url"] = config.get("userinfo_endpoint", "")
             inferred_oidc_jwks_url = config.get("jwks_uri", "")
 
         # Prefer user-entered URL to inferred URL to default URL

authentik/sources/oauth/tests/test_type_azure_ad.py

@@ -44,7 +44,3 @@ class TestTypeAzureAD(TestCase):
         self.assertEqual(ak_context["username"], AAD_USER["userPrincipalName"])
         self.assertEqual(ak_context["email"], AAD_USER["mail"])
         self.assertEqual(ak_context["name"], AAD_USER["displayName"])
-
-    def test_user_id(self):
-        """Test azure AD user ID"""
-        self.assertEqual(AzureADOAuthCallback().get_user_id(AAD_USER), AAD_USER["id"])

authentik/sources/oauth/tests/test_views.py

@@ -69,6 +69,9 @@ class TestOAuthSource(TestCase):
                     "provider_type": "openidconnect",
                     "consumer_key": "foo",
                     "consumer_secret": "foo",
+                    "authorization_url": "http://foo",
+                    "access_token_url": "http://foo",
+                    "profile_url": "http://foo",
                     "oidc_well_known_url": url,
                     "oidc_jwks_url": "",
                 },

authentik/sources/oauth/types/azure_ad.py

@@ -25,11 +25,6 @@ class AzureADOAuthCallback(OpenIDConnectOAuth2Callback):
 
     client_class = UserprofileHeaderAuthClient
 
-    def get_user_id(self, info: dict[str, str]) -> str:
-        # Default try to get `id` for the Graph API endpoint
-        # fallback to OpenID logic in case the profile URL was changed
-        return info.get("id", super().get_user_id(info))
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],
@@ -55,7 +50,7 @@ class AzureADType(SourceType):
 
     authorization_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
     access_token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"  # nosec
-    profile_url = "https://graph.microsoft.com/v1.0/me"
+    profile_url = "https://login.microsoftonline.com/common/openid/userinfo"
     oidc_well_known_url = (
         "https://login.microsoftonline.com/common/.well-known/openid-configuration"
     )

web/src/common/styles/theme-dark.css

@@ -257,8 +257,7 @@ select[multiple] option:checked {
 .pf-c-login__main-header-desc {
     color: var(--ak-dark-foreground);
 }
-.pf-c-login__main-footer-links-item img,
-.pf-c-login__main-footer-links-item .fas {
+.pf-c-login__main-footer-links-item img {
     filter: invert(1);
 }
 .pf-c-login__main-footer-band {