habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/oauth2: fix inconsistent sub value when setting via mapping (#8677)

Browse Source 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L
2024-02-25 18:25:02 +01:00
committed by GitHub
parent 58f9d86d0b
commit 646276b37c
2 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -344,7 +344,12 @@ class TestAuthorize(OAuthTestCase):
] ]
) )
) )
Application.objects.create(name="app", slug="app", provider=provider) provider.property_mappings.add(
ScopeMapping.objects.create(
name=generate_id(), scope_name="test", expression="""return {"sub": "foo"}"""
)
)
Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
state = generate_id() state = generate_id()
user = create_test_admin_user() user = create_test_admin_user()
self.client.force_login(user) self.client.force_login(user)
@ -365,7 +370,7 @@ class TestAuthorize(OAuthTestCase):
"response_type": "id_token", "response_type": "id_token",
"client_id": "test", "client_id": "test",
"state": state, "state": state,
"scope": "openid", "scope": "openid test",
"redirect_uri": "http://localhost", "redirect_uri": "http://localhost",
"nonce": generate_id(), "nonce": generate_id(),
}, },
@ -390,6 +395,7 @@ class TestAuthorize(OAuthTestCase):
) )
jwt = self.validate_jwt(token, provider) jwt = self.validate_jwt(token, provider)
self.assertEqual(jwt["amr"], ["pwd"]) self.assertEqual(jwt["amr"], ["pwd"])
self.assertEqual(jwt["sub"], "foo")
self.assertAlmostEqual( self.assertAlmostEqual(
jwt["exp"] - now().timestamp(), jwt["exp"] - now().timestamp(),
expires, expires,

7
authentik/providers/oauth2/views/userinfo.py
View File

@ -101,8 +101,8 @@ class UserInfoView(View):
value=value, value=value,
) )
continue continue
LOGGER.debug("updated scope", scope=scope)
always_merger.merge(final_claims, value) always_merger.merge(final_claims, value)
LOGGER.debug("updated scope", scope=scope)
return final_claims return final_claims
def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse: def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
@ -121,8 +121,9 @@ class UserInfoView(View):
"""Handle GET Requests for UserInfo""" """Handle GET Requests for UserInfo"""
if not self.token: if not self.token:
return HttpResponseBadRequest() return HttpResponseBadRequest()
claims = self.get_claims(self.token.provider, self.token) claims = {}
claims["sub"] = self.token.id_token.sub claims.setdefault("sub", self.token.id_token.sub)
claims.update(self.get_claims(self.token.provider, self.token))
if self.token.id_token.nonce: if self.token.id_token.nonce:
claims["nonce"] = self.token.id_token.nonce claims["nonce"] = self.token.id_token.nonce
response = TokenResponse(claims) response = TokenResponse(claims)