providers/oauth2: audit_ignore last_login change for generated service account (cherry-pick #11085) (#11086)

providers/oauth2: audit_ignore last_login change for generated service account (#11085) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
2024-08-27 14:32:17 +02:00
parent ec13a5d84d
commit 6070508058
3 changed files with 17 additions and 15 deletions
--- a/authentik/enterprise/apps.py
+++ b/authentik/enterprise/apps.py
@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
        """Actual enterprise check, cached"""
        from authentik.enterprise.license import LicenseKey

-        return LicenseKey.cached_summary().status
+        return LicenseKey.cached_summary().status.is_valid
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -433,20 +433,21 @@ class TokenParams:
        app = Application.objects.filter(provider=self.provider).first()
        if not app or not app.provider:
            raise TokenError("invalid_grant")
-        self.user, _ = User.objects.update_or_create(
-            # trim username to ensure the entire username is max 150 chars
-            # (22 chars being the length of the "template")
-            username=f"ak-{self.provider.name[:150-22]}-client_credentials",
-            defaults={
-                "attributes": {
-                    USER_ATTRIBUTE_GENERATED: True,
+        with audit_ignore():
+            self.user, _ = User.objects.update_or_create(
+                # trim username to ensure the entire username is max 150 chars
+                # (22 chars being the length of the "template")
+                username=f"ak-{self.provider.name[:150-22]}-client_credentials",
+                defaults={
+                    "attributes": {
+                        USER_ATTRIBUTE_GENERATED: True,
+                    },
+                    "last_login": timezone.now(),
+                    "name": f"Autogenerated user from application {app.name} (client credentials)",
+                    "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
+                    "type": UserTypes.SERVICE_ACCOUNT,
                },
-                "last_login": timezone.now(),
-                "name": f"Autogenerated user from application {app.name} (client credentials)",
-                "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
-                "type": UserTypes.SERVICE_ACCOUNT,
-            },
-        )
+            )
        self.__check_policy_access(app, request)

        Event.new(
--- a/website/docs/providers/oauth2/client_credentials.md
+++ b/website/docs/providers/oauth2/client_credentials.md
@ -18,7 +18,8 @@ Content-Type: application/x-www-form-urlencoded
 grant_type=client_credentials&
 client_id=application_client_id&
 username=my-service-account&
-password=my-token
+password=my-token&
+scope=profile
 ```

 This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.