diff --git a/authentik/api/authentication.py b/authentik/api/authentication.py index ab4b67d731..a3f86630f2 100644 --- a/authentik/api/authentication.py +++ b/authentik/api/authentication.py @@ -10,10 +10,10 @@ from rest_framework.exceptions import AuthenticationFailed from rest_framework.request import Request from structlog.stdlib import get_logger +from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API from authentik.core.middleware import CTX_AUTH_VIA from authentik.core.models import Token, TokenIntents, User from authentik.outposts.models import Outpost -from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API LOGGER = get_logger() diff --git a/authentik/api/tests/test_auth.py b/authentik/api/tests/test_auth.py index f449b88b60..c5a7dc5de7 100644 --- a/authentik/api/tests/test_auth.py +++ b/authentik/api/tests/test_auth.py @@ -10,12 +10,12 @@ from rest_framework.exceptions import AuthenticationFailed from authentik.api.authentication import bearer_auth from authentik.blueprints.tests import reconcile_app +from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API from authentik.core.models import Token, TokenIntents, User, UserTypes from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.lib.generators import generate_id from authentik.outposts.apps import MANAGED_OUTPOST from authentik.outposts.models import Outpost -from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API from authentik.providers.oauth2.models import AccessToken, OAuth2Provider diff --git a/authentik/common/oauth/__init__.py b/authentik/common/oauth/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/authentik/providers/oauth2/constants.py b/authentik/common/oauth/constants.py similarity index 100% rename from authentik/providers/oauth2/constants.py rename to authentik/common/oauth/constants.py diff --git a/authentik/providers/oauth2/errors.py b/authentik/common/oauth/errors.py similarity index 100% rename from authentik/providers/oauth2/errors.py rename to authentik/common/oauth/errors.py diff --git a/authentik/providers/oauth2/id_token.py b/authentik/providers/oauth2/id_token.py index 79ed0517b5..c9494a476a 100644 --- a/authentik/providers/oauth2/id_token.py +++ b/authentik/providers/oauth2/id_token.py @@ -9,15 +9,15 @@ from django.http import HttpRequest from django.utils import timezone from django.utils.translation import gettext_lazy as _ -from authentik.core.models import default_token_duration -from authentik.events.signals import get_login_event -from authentik.lib.generators import generate_id -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( ACR_AUTHENTIK_DEFAULT, AMR_MFA, AMR_PASSWORD, AMR_WEBAUTHN, ) +from authentik.core.models import default_token_duration +from authentik.events.signals import get_login_event +from authentik.lib.generators import generate_id from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS if TYPE_CHECKING: diff --git a/authentik/providers/oauth2/tests/test_authorize.py b/authentik/providers/oauth2/tests/test_authorize.py index 4447fc5f67..a17a6ed5e1 100644 --- a/authentik/providers/oauth2/tests/test_authorize.py +++ b/authentik/providers/oauth2/tests/test_authorize.py @@ -7,13 +7,13 @@ from django.urls import reverse from django.utils.timezone import now from authentik.blueprints.tests import apply_blueprint +from authentik.common.oauth.constants import TOKEN_TYPE +from authentik.common.oauth.errors import AuthorizeError, ClientIdError, RedirectUriError from authentik.core.models import Application from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.events.models import Event, EventAction from authentik.lib.generators import generate_id from authentik.lib.utils.time import timedelta_from_string -from authentik.providers.oauth2.constants import TOKEN_TYPE -from authentik.providers.oauth2.errors import AuthorizeError, ClientIdError, RedirectUriError from authentik.providers.oauth2.models import ( AccessToken, AuthorizationCode, diff --git a/authentik/providers/oauth2/tests/test_introspect.py b/authentik/providers/oauth2/tests/test_introspect.py index f3f2a03243..d7422ac58b 100644 --- a/authentik/providers/oauth2/tests/test_introspect.py +++ b/authentik/providers/oauth2/tests/test_introspect.py @@ -7,10 +7,10 @@ from dataclasses import asdict from django.urls import reverse from django.utils import timezone +from authentik.common.oauth.constants import ACR_AUTHENTIK_DEFAULT from authentik.core.models import Application from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow from authentik.lib.generators import generate_id -from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT from authentik.providers.oauth2.models import ( AccessToken, IDToken, diff --git a/authentik/providers/oauth2/tests/test_token.py b/authentik/providers/oauth2/tests/test_token.py index 2ddcc76e4d..5b28cc4327 100644 --- a/authentik/providers/oauth2/tests/test_token.py +++ b/authentik/providers/oauth2/tests/test_token.py @@ -8,16 +8,16 @@ from django.urls import reverse from django.utils import timezone from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application -from authentik.core.tests.utils import create_test_admin_user, create_test_flow -from authentik.events.models import Event, EventAction -from authentik.lib.generators import generate_id, generate_key -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN, TOKEN_TYPE, ) -from authentik.providers.oauth2.errors import TokenError +from authentik.common.oauth.errors import TokenError +from authentik.core.models import Application +from authentik.core.tests.utils import create_test_admin_user, create_test_flow +from authentik.events.models import Event, EventAction +from authentik.lib.generators import generate_id, generate_key from authentik.providers.oauth2.models import ( AccessToken, AuthorizationCode, diff --git a/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py b/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py index abe1b5c757..9f37e0a419 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py +++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py @@ -9,17 +9,17 @@ from django.utils.timezone import now from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group -from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user -from authentik.lib.generators import generate_id -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) +from authentik.core.models import Application, Group +from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user +from authentik.lib.generators import generate_id +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( AccessToken, OAuth2Provider, diff --git a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py index 5de0bd7ebc..f43b5de12c 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py +++ b/authentik/providers/oauth2/tests/test_token_cc_jwt_source.py @@ -8,17 +8,17 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group -from authentik.core.tests.utils import create_test_cert, create_test_flow -from authentik.lib.generators import generate_id -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) +from authentik.core.models import Application, Group +from authentik.core.tests.utils import create_test_cert, create_test_flow +from authentik.lib.generators import generate_id +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( OAuth2Provider, RedirectURI, diff --git a/authentik/providers/oauth2/tests/test_token_cc_standard.py b/authentik/providers/oauth2/tests/test_token_cc_standard.py index f917c96617..99e516f964 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_standard.py +++ b/authentik/providers/oauth2/tests/test_token_cc_standard.py @@ -7,10 +7,7 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD, SCOPE_OPENID, @@ -18,7 +15,10 @@ from authentik.providers.oauth2.constants import ( SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) -from authentik.providers.oauth2.errors import TokenError +from authentik.common.oauth.errors import TokenError +from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( AccessToken, OAuth2Provider, diff --git a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py index 8e4b1bbfe2..b68ca3c96a 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py +++ b/authentik/providers/oauth2/tests/test_token_cc_standard_compat.py @@ -8,10 +8,7 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD, SCOPE_OPENID, @@ -19,7 +16,10 @@ from authentik.providers.oauth2.constants import ( SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) -from authentik.providers.oauth2.errors import TokenError +from authentik.common.oauth.errors import TokenError +from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( OAuth2Provider, RedirectURI, diff --git a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py index bf57eca32b..71c95b484c 100644 --- a/authentik/providers/oauth2/tests/test_token_cc_user_pw.py +++ b/authentik/providers/oauth2/tests/test_token_cc_user_pw.py @@ -7,10 +7,7 @@ from django.urls import reverse from jwt import decode from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD, SCOPE_OPENID, @@ -18,7 +15,10 @@ from authentik.providers.oauth2.constants import ( SCOPE_OPENID_PROFILE, TOKEN_TYPE, ) -from authentik.providers.oauth2.errors import TokenError +from authentik.common.oauth.errors import TokenError +from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.policies.models import PolicyBinding from authentik.providers.oauth2.models import ( OAuth2Provider, RedirectURI, diff --git a/authentik/providers/oauth2/tests/test_token_device.py b/authentik/providers/oauth2/tests/test_token_device.py index 212828897e..0a02ffdf7e 100644 --- a/authentik/providers/oauth2/tests/test_token_device.py +++ b/authentik/providers/oauth2/tests/test_token_device.py @@ -6,14 +6,14 @@ from django.test import RequestFactory from django.urls import reverse from authentik.blueprints.tests import apply_blueprint -from authentik.core.models import Application -from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow -from authentik.lib.generators import generate_code_fixed_length, generate_id -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( GRANT_TYPE_DEVICE_CODE, SCOPE_OPENID, SCOPE_OPENID_EMAIL, ) +from authentik.core.models import Application +from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow +from authentik.lib.generators import generate_code_fixed_length, generate_id from authentik.providers.oauth2.models import ( AccessToken, DeviceToken, diff --git a/authentik/providers/oauth2/tests/test_token_pkce.py b/authentik/providers/oauth2/tests/test_token_pkce.py index 2b7cef3df9..f052055e57 100644 --- a/authentik/providers/oauth2/tests/test_token_pkce.py +++ b/authentik/providers/oauth2/tests/test_token_pkce.py @@ -6,10 +6,10 @@ from hashlib import sha256 from django.test import RequestFactory from django.urls import reverse +from authentik.common.oauth.constants import GRANT_TYPE_AUTHORIZATION_CODE from authentik.core.models import Application from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.lib.generators import generate_id -from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE from authentik.providers.oauth2.models import ( AuthorizationCode, OAuth2Provider, diff --git a/authentik/providers/oauth2/utils.py b/authentik/providers/oauth2/utils.py index 23bcbee839..54aa3e0e8a 100644 --- a/authentik/providers/oauth2/utils.py +++ b/authentik/providers/oauth2/utils.py @@ -11,9 +11,9 @@ from django.http.response import HttpResponseRedirect from django.utils.cache import patch_vary_headers from structlog.stdlib import get_logger +from authentik.common.oauth.errors import BearerTokenError from authentik.core.middleware import CTX_AUTH_VIA, KEY_USER from authentik.events.models import Event, EventAction -from authentik.providers.oauth2.errors import BearerTokenError from authentik.providers.oauth2.models import AccessToken, OAuth2Provider LOGGER = get_logger() diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index c6c1aecda7..e61afcd4d9 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -15,6 +15,23 @@ from django.utils import timezone from django.utils.translation import gettext as _ from structlog.stdlib import get_logger +from authentik.common.oauth.constants import ( + PKCE_METHOD_PLAIN, + PKCE_METHOD_S256, + PROMPT_CONSENT, + PROMPT_LOGIN, + PROMPT_NONE, + SCOPE_GITHUB, + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + TOKEN_TYPE, +) +from authentik.common.oauth.errors import ( + AuthorizeError, + ClientIdError, + OAuth2Error, + RedirectUriError, +) from authentik.core.models import Application from authentik.events.models import Event, EventAction from authentik.events.signals import get_login_event @@ -31,23 +48,6 @@ from authentik.lib.utils.time import timedelta_from_string from authentik.lib.views import bad_request_message from authentik.policies.types import PolicyRequest from authentik.policies.views import PolicyAccessView, RequestValidationError -from authentik.providers.oauth2.constants import ( - PKCE_METHOD_PLAIN, - PKCE_METHOD_S256, - PROMPT_CONSENT, - PROMPT_LOGIN, - PROMPT_NONE, - SCOPE_GITHUB, - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - TOKEN_TYPE, -) -from authentik.providers.oauth2.errors import ( - AuthorizeError, - ClientIdError, - OAuth2Error, - RedirectUriError, -) from authentik.providers.oauth2.id_token import IDToken from authentik.providers.oauth2.models import ( AccessToken, diff --git a/authentik/providers/oauth2/views/github.py b/authentik/providers/oauth2/views/github.py index 524899a34f..1b9cf483c4 100644 --- a/authentik/providers/oauth2/views/github.py +++ b/authentik/providers/oauth2/views/github.py @@ -6,7 +6,7 @@ from django.utils.text import slugify from django.views import View from django.views.decorators.csrf import csrf_exempt -from authentik.providers.oauth2.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL +from authentik.common.oauth.constants import SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER_EMAIL from authentik.providers.oauth2.models import RefreshToken from authentik.providers.oauth2.utils import protected_resource_view diff --git a/authentik/providers/oauth2/views/introspection.py b/authentik/providers/oauth2/views/introspection.py index 51b18f6e93..69f6e68c1d 100644 --- a/authentik/providers/oauth2/views/introspection.py +++ b/authentik/providers/oauth2/views/introspection.py @@ -8,7 +8,7 @@ from django.views import View from django.views.decorators.csrf import csrf_exempt from structlog.stdlib import get_logger -from authentik.providers.oauth2.errors import TokenIntrospectionError +from authentik.common.oauth.errors import TokenIntrospectionError from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index eab3e62be0..8ace748902 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -8,9 +8,7 @@ from django.views import View from guardian.shortcuts import get_anonymous_user from structlog.stdlib import get_logger -from authentik.core.expression.exceptions import PropertyMappingExpressionException -from authentik.core.models import Application -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( ACR_AUTHENTIK_DEFAULT, GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_CLIENT_CREDENTIALS, @@ -22,6 +20,8 @@ from authentik.providers.oauth2.constants import ( PKCE_METHOD_S256, SCOPE_OPENID, ) +from authentik.core.expression.exceptions import PropertyMappingExpressionException +from authentik.core.models import Application from authentik.providers.oauth2.models import ( OAuth2Provider, ResponseMode, diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index ba8d571d88..be4e1f13c7 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -20,6 +20,20 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode from sentry_sdk import start_span from structlog.stdlib import get_logger +from authentik.common.oauth.constants import ( + CLIENT_ASSERTION, + CLIENT_ASSERTION_TYPE, + CLIENT_ASSERTION_TYPE_JWT, + GRANT_TYPE_AUTHORIZATION_CODE, + GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_DEVICE_CODE, + GRANT_TYPE_PASSWORD, + GRANT_TYPE_REFRESH_TOKEN, + PKCE_METHOD_S256, + SCOPE_OFFLINE_ACCESS, + TOKEN_TYPE, +) +from authentik.common.oauth.errors import DeviceCodeError, TokenError, UserAuthError from authentik.core.middleware import CTX_AUTH_VIA from authentik.core.models import ( USER_ATTRIBUTE_EXPIRES, @@ -37,20 +51,6 @@ from authentik.events.signals import get_login_event from authentik.flows.planner import PLAN_CONTEXT_APPLICATION from authentik.lib.utils.time import timedelta_from_string from authentik.policies.engine import PolicyEngine -from authentik.providers.oauth2.constants import ( - CLIENT_ASSERTION, - CLIENT_ASSERTION_TYPE, - CLIENT_ASSERTION_TYPE_JWT, - GRANT_TYPE_AUTHORIZATION_CODE, - GRANT_TYPE_CLIENT_CREDENTIALS, - GRANT_TYPE_DEVICE_CODE, - GRANT_TYPE_PASSWORD, - GRANT_TYPE_REFRESH_TOKEN, - PKCE_METHOD_S256, - SCOPE_OFFLINE_ACCESS, - TOKEN_TYPE, -) -from authentik.providers.oauth2.errors import DeviceCodeError, TokenError, UserAuthError from authentik.providers.oauth2.id_token import IDToken from authentik.providers.oauth2.models import ( AccessToken, diff --git a/authentik/providers/oauth2/views/token_revoke.py b/authentik/providers/oauth2/views/token_revoke.py index e07a4ee178..3e7b28a040 100644 --- a/authentik/providers/oauth2/views/token_revoke.py +++ b/authentik/providers/oauth2/views/token_revoke.py @@ -8,7 +8,7 @@ from django.views import View from django.views.decorators.csrf import csrf_exempt from structlog.stdlib import get_logger -from authentik.providers.oauth2.errors import TokenRevocationError +from authentik.common.oauth.errors import TokenRevocationError from authentik.providers.oauth2.models import AccessToken, ClientTypes, OAuth2Provider, RefreshToken from authentik.providers.oauth2.utils import ( TokenResponse, diff --git a/authentik/providers/oauth2/views/userinfo.py b/authentik/providers/oauth2/views/userinfo.py index cf151cf6d6..2bc3d55691 100644 --- a/authentik/providers/oauth2/views/userinfo.py +++ b/authentik/providers/oauth2/views/userinfo.py @@ -11,16 +11,16 @@ from django.views import View from django.views.decorators.csrf import csrf_exempt from structlog.stdlib import get_logger -from authentik.core.expression.exceptions import PropertyMappingExpressionException -from authentik.events.models import Event, EventAction -from authentik.flows.challenge import PermissionDict -from authentik.providers.oauth2.constants import ( +from authentik.common.oauth.constants import ( SCOPE_GITHUB_ORG_READ, SCOPE_GITHUB_USER, SCOPE_GITHUB_USER_EMAIL, SCOPE_GITHUB_USER_READ, SCOPE_OPENID, ) +from authentik.core.expression.exceptions import PropertyMappingExpressionException +from authentik.events.models import Event, EventAction +from authentik.flows.challenge import PermissionDict from authentik.providers.oauth2.models import ( BaseGrantModel, OAuth2Provider, diff --git a/authentik/sources/oauth/types/gitlab.py b/authentik/sources/oauth/types/gitlab.py index dc3b0c4597..5fd6c6542e 100644 --- a/authentik/sources/oauth/types/gitlab.py +++ b/authentik/sources/oauth/types/gitlab.py @@ -7,6 +7,7 @@ and https://docs.gitlab.com/ee/integration/openid_connect_provider.html from typing import Any +from authentik.common.oauth.constants import SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE from authentik.sources.oauth.models import AuthorizationCodeAuthMethod, OAuthSource from authentik.sources.oauth.types.registry import SourceType, registry from authentik.sources.oauth.views.redirect import OAuthRedirect @@ -17,7 +18,7 @@ class GitLabOAuthRedirect(OAuthRedirect): def get_additional_parameters(self, source: OAuthSource): return { - "scope": ["read_user", "openid", "profile", "email"], + "scope": ["read_user", SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL], } diff --git a/authentik/sources/oauth/types/google.py b/authentik/sources/oauth/types/google.py index 243ceb403b..49317041cc 100644 --- a/authentik/sources/oauth/types/google.py +++ b/authentik/sources/oauth/types/google.py @@ -2,6 +2,7 @@ from typing import Any +from authentik.common.oauth.constants import SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE from authentik.sources.oauth.models import AuthorizationCodeAuthMethod from authentik.sources.oauth.types.registry import SourceType, registry from authentik.sources.oauth.views.redirect import OAuthRedirect @@ -12,7 +13,7 @@ class GoogleOAuthRedirect(OAuthRedirect): def get_additional_parameters(self, source): # pragma: no cover return { - "scope": ["email", "profile"], + "scope": [SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL], } diff --git a/authentik/sources/oauth/types/mailcow.py b/authentik/sources/oauth/types/mailcow.py index 7cbb36552f..888d321895 100644 --- a/authentik/sources/oauth/types/mailcow.py +++ b/authentik/sources/oauth/types/mailcow.py @@ -5,6 +5,7 @@ from typing import Any from requests.exceptions import RequestException from structlog.stdlib import get_logger +from authentik.common.oauth.constants import SCOPE_OPENID_PROFILE from authentik.sources.oauth.clients.oauth2 import OAuth2Client from authentik.sources.oauth.models import AuthorizationCodeAuthMethod from authentik.sources.oauth.types.registry import SourceType, registry @@ -19,7 +20,7 @@ class MailcowOAuthRedirect(OAuthRedirect): def get_additional_parameters(self, source): # pragma: no cover return { - "scope": ["profile"], + "scope": [SCOPE_OPENID_PROFILE], } diff --git a/authentik/sources/oauth/types/oidc.py b/authentik/sources/oauth/types/oidc.py index ff3c732326..5b1985cebc 100644 --- a/authentik/sources/oauth/types/oidc.py +++ b/authentik/sources/oauth/types/oidc.py @@ -4,6 +4,7 @@ from typing import Any from requests.auth import AuthBase, HTTPBasicAuth +from authentik.common.oauth.constants import SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE from authentik.sources.oauth.clients.oauth2 import UserprofileHeaderAuthClient from authentik.sources.oauth.models import AuthorizationCodeAuthMethod, OAuthSource from authentik.sources.oauth.types.registry import SourceType, registry @@ -16,7 +17,7 @@ class OpenIDConnectOAuthRedirect(OAuthRedirect): def get_additional_parameters(self, source: OAuthSource): # pragma: no cover return { - "scope": ["openid", "email", "profile"], + "scope": [SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL], } diff --git a/authentik/sources/oauth/types/okta.py b/authentik/sources/oauth/types/okta.py index 4f59990b0e..a51fb17b9c 100644 --- a/authentik/sources/oauth/types/okta.py +++ b/authentik/sources/oauth/types/okta.py @@ -2,6 +2,7 @@ from typing import Any +from authentik.common.oauth.constants import SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE from authentik.sources.oauth.models import OAuthSource from authentik.sources.oauth.types.oidc import OpenIDConnectOAuth2Callback from authentik.sources.oauth.types.registry import SourceType, registry @@ -13,7 +14,7 @@ class OktaOAuthRedirect(OAuthRedirect): def get_additional_parameters(self, source: OAuthSource): # pragma: no cover return { - "scope": ["openid", "email", "profile"], + "scope": [SCOPE_OPENID, SCOPE_OPENID_PROFILE, SCOPE_OPENID_EMAIL], } diff --git a/tests/e2e/test_provider_oauth2_grafana.py b/tests/e2e/test_provider_oauth2_grafana.py index 101c42d48b..71822693bc 100644 --- a/tests/e2e/test_provider_oauth2_grafana.py +++ b/tests/e2e/test_provider_oauth2_grafana.py @@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.oauth.constants import ( + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, +) from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow from authentik.lib.generators import generate_id, generate_key from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, -) from authentik.providers.oauth2.models import ( ClientTypes, OAuth2Provider, diff --git a/tests/e2e/test_provider_oidc.py b/tests/e2e/test_provider_oidc.py index e8cf11c5b3..c4dc73f0b9 100644 --- a/tests/e2e/test_provider_oidc.py +++ b/tests/e2e/test_provider_oidc.py @@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.oauth.constants import ( + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, +) from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow from authentik.lib.generators import generate_id, generate_key from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, -) from authentik.providers.oauth2.models import ( ClientTypes, OAuth2Provider, diff --git a/tests/e2e/test_provider_oidc_implicit.py b/tests/e2e/test_provider_oidc_implicit.py index 8c7cad0c69..d1adcee57f 100644 --- a/tests/e2e/test_provider_oidc_implicit.py +++ b/tests/e2e/test_provider_oidc_implicit.py @@ -7,18 +7,18 @@ from selenium.webdriver.common.by import By from selenium.webdriver.support import expected_conditions as ec from authentik.blueprints.tests import apply_blueprint, reconcile_app +from authentik.common.oauth.constants import ( + SCOPE_OFFLINE_ACCESS, + SCOPE_OPENID, + SCOPE_OPENID_EMAIL, + SCOPE_OPENID_PROFILE, +) from authentik.core.models import Application from authentik.core.tests.utils import create_test_cert from authentik.flows.models import Flow from authentik.lib.generators import generate_id, generate_key from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.models import PolicyBinding -from authentik.providers.oauth2.constants import ( - SCOPE_OFFLINE_ACCESS, - SCOPE_OPENID, - SCOPE_OPENID_EMAIL, - SCOPE_OPENID_PROFILE, -) from authentik.providers.oauth2.models import ( ClientTypes, OAuth2Provider,