providers/oauth2: audit_ignore last_login change for generated service account (cherry-pick #11085) (#11086)

providers/oauth2: audit_ignore last_login change for generated service account (#11085)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().status
+        return LicenseKey.cached_summary().status.is_valid

authentik/providers/oauth2/views/token.py

@@ -433,6 +433,7 @@ class TokenParams:
         app = Application.objects.filter(provider=self.provider).first()
         if not app or not app.provider:
             raise TokenError("invalid_grant")
+        with audit_ignore():
             self.user, _ = User.objects.update_or_create(
                 # trim username to ensure the entire username is max 150 chars
                 # (22 chars being the length of the "template")

website/docs/providers/oauth2/client_credentials.md

@@ -18,7 +18,8 @@ Content-Type: application/x-www-form-urlencoded
 grant_type=client_credentials&
 client_id=application_client_id&
 username=my-service-account&
-password=my-token
+password=my-token&
+scope=profile
 ```
 
 This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.