habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix CVE 2024 52289 (#12113)

Browse Source 
* initial migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix loading

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start dynamic ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* initial ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add serialize

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add error message handling

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix/add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prepare docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate to new input

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2024-11-21 14:46:43 +01:00
committed by GitHub
parent 5ea4580884
commit 85bb638243
37 changed files with 687 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
authentik/core/tests/test_applications_api.py
View File

@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.lib.generators import generate_id
from authentik.policies.dummy.models import DummyPolicy
from authentik.policies.models import PolicyBinding
from authentik.providers.oauth2.models import OAuth2Provider
from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
from authentik.providers.proxy.models import ProxyProvider
from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
self.user = create_test_admin_user()
self.provider = OAuth2Provider.objects.create(
name="test",
redirect_uris="http://some-other-domain",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
authorization_flow=create_test_flow(),
)
self.allowed: Application = Application.objects.create(

3
authentik/core/tests/test_transactional_applications_api.py
View File

@ -35,6 +35,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
"name": uid,
"authorization_flow": str(create_test_flow().pk),
"invalidation_flow": str(create_test_flow().pk),
"redirect_uris": [],
},
},
)
@ -89,6 +90,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
"name": uid,
"authorization_flow": str(authorization_flow.pk),
"invalidation_flow": str(authorization_flow.pk),
"redirect_uris": [],
},
"policy_bindings": [{"group": group.pk, "order": 0}],
},
@ -120,6 +122,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
"name": uid,
"authorization_flow": "",
"invalidation_flow": "",
"redirect_uris": [],
},
},
)

6
authentik/crypto/tests.py
View File

@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
from authentik.lib.config import CONFIG
from authentik.lib.generators import generate_id, generate_key
from authentik.providers.oauth2.models import OAuth2Provider
from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
class TestCrypto(APITestCase):
@ -274,7 +274,7 @@ class TestCrypto(APITestCase):
client_id="test",
client_secret=generate_key(),
authorization_flow=create_test_flow(),
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=keypair,
)
response = self.client.get(
@ -306,7 +306,7 @@ class TestCrypto(APITestCase):
client_id="test",
client_secret=generate_key(),
authorization_flow=create_test_flow(),
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=keypair,
)
response = self.client.get(

34
authentik/providers/oauth2/api/providers.py
View File

@ -1,15 +1,18 @@
"""OAuth2Provider API Views"""
from copy import copy
from re import compile
from re import error as RegexError
from django.urls import reverse
from django.utils import timezone
from django.utils.translation import gettext_lazy as _
from drf_spectacular.types import OpenApiTypes
from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
from guardian.shortcuts import get_objects_for_user
from rest_framework.decorators import action
from rest_framework.exceptions import ValidationError
from rest_framework.fields import CharField
from rest_framework.fields import CharField, ChoiceField
from rest_framework.generics import get_object_or_404
from rest_framework.request import Request
from rest_framework.response import Response
@ -20,13 +23,39 @@ from authentik.core.api.used_by import UsedByMixin
from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
from authentik.core.models import Provider
from authentik.providers.oauth2.id_token import IDToken
from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
AccessToken,
OAuth2Provider,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.rbac.decorators import permission_required
class RedirectURISerializer(PassiveSerializer):
"""A single allowed redirect URI entry"""
matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
url = CharField()
class OAuth2ProviderSerializer(ProviderSerializer):
"""OAuth2Provider Serializer"""
redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
def validate_redirect_uris(self, data: list) -> list:
for entry in data:
if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
url = entry.get("url")
try:
compile(url)
except RegexError:
raise ValidationError(
_("Invalid Regex Pattern: {url}".format(url=url))
) from None
return data
class Meta:
model = OAuth2Provider
fields = ProviderSerializer.Meta.fields + [
@ -79,7 +108,6 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
"refresh_token_validity",
"include_claims_in_id_token",
"signing_key",
"redirect_uris",
"sub_mode",
"property_mappings",
"issuer_mode",

6
authentik/providers/oauth2/errors.py
View File

@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
from authentik.events.models import Event, EventAction
from authentik.lib.sentry import SentryIgnoredException
from authentik.lib.views import bad_request_message
from authentik.providers.oauth2.models import GrantTypes
from authentik.providers.oauth2.models import GrantTypes, RedirectURI
class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
)
provided_uri: str
allowed_uris: list[str]
allowed_uris: list[RedirectURI]
def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
super().__init__()
self.provided_uri = provided_uri
self.allowed_uris = allowed_uris

48
authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py Normal file
View File

@ -0,0 +1,48 @@
# Generated by Django 5.0.9 on 2024-11-04 12:56
from django.apps.registry import Apps
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
from django.db import migrations, models
def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
db_alias = schema_editor.connection.alias
for provider in OAuth2Provider.objects.using(db_alias).all():
uris = []
for old in provider.old_redirect_uris.split("\n"):
mode = RedirectURIMatchingMode.STRICT
if old == "*" or old == ".*":
mode = RedirectURIMatchingMode.REGEX
uris.append(RedirectURI(mode, url=old))
provider.redirect_uris = uris
provider.save()
class Migration(migrations.Migration):
dependencies = [
("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
]
operations = [
migrations.RenameField(
model_name="oauth2provider",
old_name="redirect_uris",
new_name="old_redirect_uris",
),
migrations.AddField(
model_name="oauth2provider",
name="_redirect_uris",
field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
),
migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
migrations.RemoveField(
model_name="oauth2provider",
name="old_redirect_uris",
),
]

52
authentik/providers/oauth2/models.py
View File

@ -3,7 +3,7 @@
import base64
import binascii
import json
from dataclasses import asdict
from dataclasses import asdict, dataclass
from functools import cached_property
from hashlib import sha256
from typing import Any
@ -12,6 +12,7 @@ from urllib.parse import urlparse, urlunparse
from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
from dacite import Config
from dacite.core import from_dict
from django.contrib.postgres.indexes import HashIndex
from django.db import models
@ -77,11 +78,25 @@ class IssuerMode(models.TextChoices):
"""Configure how the `iss` field is created."""
GLOBAL = "global", _("Same identifier is used for all providers")
PER_PROVIDER = "per_provider", _(
"Each provider has a different issuer, based on the application slug."
PER_PROVIDER = (
"per_provider",
_("Each provider has a different issuer, based on the application slug."),
)
class RedirectURIMatchingMode(models.TextChoices):
STRICT = "strict", _("Strict URL comparison")
REGEX = "regex", _("Regular Expression URL matching")
@dataclass
class RedirectURI:
"""A single redirect URI entry"""
matching_mode: RedirectURIMatchingMode
url: str
class ResponseTypes(models.TextChoices):
"""Response Type required by the client."""
@ -156,11 +171,9 @@ class OAuth2Provider(WebfingerProvider, Provider):
verbose_name=_("Client Secret"),
default=generate_client_secret,
)
redirect_uris = models.TextField(
default="",
blank=True,
_redirect_uris = models.JSONField(
default=dict,
verbose_name=_("Redirect URIs"),
help_text=_("Enter each URI on a new line."),
)
include_claims_in_id_token = models.BooleanField(
@ -271,12 +284,33 @@ class OAuth2Provider(WebfingerProvider, Provider):
except Provider.application.RelatedObjectDoesNotExist:
return None
@property
def redirect_uris(self) -> list[RedirectURI]:
uris = []
for entry in self._redirect_uris:
uris.append(
from_dict(
RedirectURI,
entry,
config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
)
)
return uris
@redirect_uris.setter
def redirect_uris(self, value: list[RedirectURI]):
cleansed = []
for entry in value:
cleansed.append(asdict(entry))
self._redirect_uris = cleansed
@property
def launch_url(self) -> str | None:
"""Guess launch_url based on first redirect_uri"""
if self.redirect_uris == "":
redirects = self.redirect_uris
if len(redirects) < 1:
return None
main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
main_url = redirects[0].url
try:
launch_url = urlparse(main_url)._replace(path="")
return urlunparse(launch_url)

36
authentik/providers/oauth2/tests/test_api.py
View File

@ -10,7 +10,13 @@ from rest_framework.test import APITestCase
from authentik.blueprints.tests import apply_blueprint
from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
class TestAPI(APITestCase):
@ -21,7 +27,7 @@ class TestAPI(APITestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name="test",
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
)
self.provider.property_mappings.set(ScopeMapping.objects.all())
self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -50,9 +56,29 @@ class TestAPI(APITestCase):
@skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
def test_launch_url(self):
"""Test launch_url"""
self.provider.redirect_uris = (
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n"
)
self.provider.redirect_uris = [
RedirectURI(
RedirectURIMatchingMode.REGEX,
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
),
]
self.provider.save()
self.provider.refresh_from_db()
self.assertIsNone(self.provider.launch_url)
def test_validate_redirect_uris(self):
"""Test redirect_uris API"""
response = self.client.post(
reverse("authentik_api:oauth2provider-list"),
data={
"name": generate_id(),
"authorization_flow": create_test_flow().pk,
"invalidation_flow": create_test_flow().pk,
"redirect_uris": [
{"matching_mode": "strict", "url": "http://goauthentik.io"},
{"matching_mode": "regex", "url": "**"},
],
},
)
self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
self.assertEqual(response.status_code, 400)

32
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -19,6 +19,8 @@ from authentik.providers.oauth2.models import (
AuthorizationCode,
GrantTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +41,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid/Foo",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
)
with self.assertRaises(AuthorizeError):
request = self.factory.get(
@ -64,7 +66,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid/Foo",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
)
with self.assertRaises(AuthorizeError):
request = self.factory.get(
@ -84,7 +86,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
)
with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -106,7 +108,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="data:local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
)
with self.assertRaises(RedirectUriError):
request = self.factory.get(
@ -125,7 +127,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="",
redirect_uris=[],
)
with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -140,7 +142,7 @@ class TestAuthorize(OAuthTestCase):
)
OAuthAuthorizationParams.from_request(request)
provider.refresh_from_db()
self.assertEqual(provider.redirect_uris, "+")
self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
def test_invalid_redirect_uri_regex(self):
"""test missing/invalid redirect URI"""
@ -148,7 +150,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid?",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
)
with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -170,7 +172,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="+",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
)
with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -213,7 +215,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid/Foo",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(
@ -301,7 +303,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="foo://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100",
)
Application.objects.create(name="app", slug="app", provider=provider)
@ -343,7 +345,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair,
)
provider.property_mappings.set(
@ -420,7 +422,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair,
encryption_key=self.keypair,
)
@ -486,7 +488,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair,
)
Application.objects.create(name="app", slug="app", provider=provider)
@ -541,7 +543,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id=generate_id(),
authorization_flow=flow,
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair,
)
provider.property_mappings.set(
@ -599,7 +601,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(),
client_id=generate_id(),
authorization_flow=flow,
redirect_uris="http://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair,
)
app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)

13
authentik/providers/oauth2/tests/test_introspect.py
View File

@ -11,7 +11,14 @@ from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_id
from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
from authentik.providers.oauth2.models import (
AccessToken,
IDToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -23,7 +30,7 @@ class TesOAuth2Introspection(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(),
)
self.app = Application.objects.create(
@ -118,7 +125,7 @@ class TesOAuth2Introspection(OAuthTestCase):
provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(),
)
auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()

12
authentik/providers/oauth2/tests/test_jwks.py
View File

@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
from authentik.crypto.builder import PrivateKeyAlg
from authentik.crypto.models import CertificateKeyPair
from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import OAuth2Provider
from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
from authentik.providers.oauth2.tests.utils import OAuthTestCase
TEST_CORDS_CERT = """
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=create_test_cert(),
)
app = Application.objects.create(name="test", slug="test", provider=provider)
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
)
app = Application.objects.create(name="test", slug="test", provider=provider)
response = self.client.get(
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
)
app = Application.objects.create(name="test", slug="test", provider=provider)
@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
)
@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=cert,
)
app = Application.objects.create(name="test", slug="test", provider=provider)

11
authentik/providers/oauth2/tests/test_revoke.py
View File

@ -10,7 +10,14 @@ from django.utils import timezone
from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken
from authentik.providers.oauth2.models import (
AccessToken,
IDToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -22,7 +29,7 @@ class TesOAuth2Revoke(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(),
)
self.app = Application.objects.create(

18
authentik/providers/oauth2/tests/test_token.py
View File

@ -22,6 +22,8 @@ from authentik.providers.oauth2.models import (
AccessToken,
AuthorizationCode,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken,
ScopeMapping,
)
@ -42,7 +44,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://TestServer",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
signing_key=self.keypair,
)
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -69,7 +71,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=self.keypair,
)
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -90,7 +92,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair,
)
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -118,7 +120,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair,
)
# Needs to be assigned to an application for iss to be set
@ -157,7 +159,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair,
encryption_key=self.keypair,
)
@ -188,7 +190,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair,
)
provider.property_mappings.set(
@ -250,7 +252,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair,
)
provider.property_mappings.set(
@ -308,7 +310,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=self.keypair,
)
provider.property_mappings.set(

9
authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
View File

@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_PROFILE,
TOKEN_TYPE,
)
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
from authentik.providers.oauth2.views.jwks import JWKSView
from authentik.sources.oauth.models import OAuthSource
@ -54,7 +59,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name="test",
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=self.cert,
)
self.provider.jwks_sources.add(self.source)

10
authentik/providers/oauth2/tests/test_token_cc_standard.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
TOKEN_TYPE,
)
from authentik.providers.oauth2.errors import TokenError
from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
AccessToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -33,7 +39,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
self.provider = OAuth2Provider.objects.create(
name="test",
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(),
)
self.provider.property_mappings.set(ScopeMapping.objects.all())

9
authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
View File

@ -20,7 +20,12 @@ from authentik.providers.oauth2.constants import (
TOKEN_TYPE,
)
from authentik.providers.oauth2.errors import TokenError
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -34,7 +39,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
self.provider = OAuth2Provider.objects.create(
name="test",
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(),
)
self.provider.property_mappings.set(ScopeMapping.objects.all())

9
authentik/providers/oauth2/tests/test_token_cc_user_pw.py
View File

@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
TOKEN_TYPE,
)
from authentik.providers.oauth2.errors import TokenError
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -33,7 +38,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
self.provider = OAuth2Provider.objects.create(
name="test",
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(),
)
self.provider.property_mappings.set(ScopeMapping.objects.all())

11
authentik/providers/oauth2/tests/test_token_device.py
View File

@ -14,7 +14,14 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID,
SCOPE_OPENID_EMAIL,
)
from authentik.providers.oauth2.models import AccessToken, DeviceToken, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
AccessToken,
DeviceToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -28,7 +35,7 @@ class TestTokenDeviceCode(OAuthTestCase):
self.provider = OAuth2Provider.objects.create(
name="test",
authorization_flow=create_test_flow(),
redirect_uris="http://testserver",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(),
)
self.provider.property_mappings.set(ScopeMapping.objects.all())

15
authentik/providers/oauth2/tests/test_token_pkce.py
View File

@ -10,7 +10,12 @@ from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.lib.generators import generate_id
from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
from authentik.providers.oauth2.models import (
AuthorizationCode,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -30,7 +35,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="foo://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100",
)
Application.objects.create(name="app", slug="app", provider=provider)
@ -93,7 +98,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="foo://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100",
)
Application.objects.create(name="app", slug="app", provider=provider)
@ -154,7 +159,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="foo://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100",
)
Application.objects.create(name="app", slug="app", provider=provider)
@ -210,7 +215,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(),
client_id="test",
authorization_flow=flow,
redirect_uris="foo://localhost",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100",
)
Application.objects.create(name="app", slug="app", provider=provider)

11
authentik/providers/oauth2/tests/test_userinfo.py
View File

@ -11,7 +11,14 @@ from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.events.models import Event, EventAction
from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
AccessToken,
IDToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -25,7 +32,7 @@ class TestUserinfo(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
redirect_uris="",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(),
)
self.provider.property_mappings.set(ScopeMapping.objects.all())

55
authentik/providers/oauth2/views/authorize.py
View File

@ -56,6 +56,8 @@ from authentik.providers.oauth2.models import (
AuthorizationCode,
GrantTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ResponseMode,
ResponseTypes,
ScopeMapping,
@ -187,40 +189,39 @@ class OAuthAuthorizationParams:
def check_redirect_uri(self):
"""Redirect URI validation."""
allowed_redirect_urls = self.provider.redirect_uris.split()
allowed_redirect_urls = self.provider.redirect_uris
if not self.redirect_uri:
LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", allowed_redirect_urls)
if self.provider.redirect_uris == "":
if len(allowed_redirect_urls) < 1:
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
self.provider.redirect_uris = self.redirect_uri
self.provider.redirect_uris = [
RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
]
self.provider.save()
allowed_redirect_urls = self.provider.redirect_uris.split()
allowed_redirect_urls = self.provider.redirect_uris
if self.provider.redirect_uris == "*":
LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri)
self.provider.redirect_uris = ".*"
self.provider.save()
allowed_redirect_urls = self.provider.redirect_uris.split()
try:
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
LOGGER.warning(
"Invalid redirect uri (regex comparison)",
redirect_uri_given=self.redirect_uri,
redirect_uri_expected=allowed_redirect_urls,
)
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
except RegexError as exc:
LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
if not any(x == self.redirect_uri for x in allowed_redirect_urls):
LOGGER.warning(
"Invalid redirect uri (strict comparison)",
redirect_uri_given=self.redirect_uri,
redirect_uri_expected=allowed_redirect_urls,
)
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
match_found = False
for allowed in allowed_redirect_urls:
if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
if self.redirect_uri == allowed.url:
match_found = True
break
if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
try:
if fullmatch(allowed.url, self.redirect_uri):
match_found = True
break
except RegexError as exc:
LOGGER.warning(
"Failed to parse regular expression",
exc=exc,
url=allowed.url,
provider=self.provider,
)
if not match_found:
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
# Check against forbidden schemes
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)

2
authentik/providers/oauth2/views/provider.py
View File

@ -162,5 +162,5 @@ class ProviderInfoView(View):
OAuth2Provider, pk=application.provider_id
)
response = super().dispatch(request, *args, **kwargs)
cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
return response

82
authentik/providers/oauth2/views/token.py
View File

@ -58,6 +58,7 @@ from authentik.providers.oauth2.models import (
ClientTypes,
DeviceToken,
OAuth2Provider,
RedirectURIMatchingMode,
RefreshToken,
ScopeMapping,
)
@ -195,42 +196,7 @@ class TokenParams:
LOGGER.warning("Missing authorization code")
raise TokenError("invalid_grant")
allowed_redirect_urls = self.provider.redirect_uris.split()
# At this point, no provider should have a blank redirect_uri, in case they do
# this will check an empty array and raise an error
try:
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
LOGGER.warning(
"Invalid redirect uri (regex comparison)",
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect URI used by provider",
provider=self.provider,
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
).from_http(request)
raise TokenError("invalid_client")
except RegexError as exc:
LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
if not any(x == self.redirect_uri for x in allowed_redirect_urls):
LOGGER.warning(
"Invalid redirect uri (strict comparison)",
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect_uri configured",
provider=self.provider,
).from_http(request)
raise TokenError("invalid_client") from None
# Check against forbidden schemes
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
raise TokenError("invalid_request")
self.__check_redirect_uri(request)
self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
if not self.authorization_code:
@ -270,6 +236,48 @@ class TokenParams:
if not self.authorization_code.code_challenge and self.code_verifier:
raise TokenError("invalid_grant")
def __check_redirect_uri(self, request: HttpRequest):
allowed_redirect_urls = self.provider.redirect_uris
# At this point, no provider should have a blank redirect_uri, in case they do
# this will check an empty array and raise an error
match_found = False
for allowed in allowed_redirect_urls:
if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
if self.redirect_uri == allowed.url:
match_found = True
break
if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
try:
if fullmatch(allowed.url, self.redirect_uri):
match_found = True
break
except RegexError as exc:
LOGGER.warning(
"Failed to parse regular expression",
exc=exc,
url=allowed.url,
provider=self.provider,
)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect_uri configured",
provider=self.provider,
).from_http(request)
if not match_found:
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect URI used by provider",
provider=self.provider,
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
).from_http(request)
raise TokenError("invalid_client")
# Check against forbidden schemes
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
raise TokenError("invalid_request")
def __post_init_refresh(self, raw_token: str, request: HttpRequest):
if not raw_token:
LOGGER.warning("Missing refresh token")
@ -513,7 +521,7 @@ class TokenView(View):
response = super().dispatch(request, *args, **kwargs)
allowed_origins = []
if self.provider:
allowed_origins = self.provider.redirect_uris.split("\n")
allowed_origins = [x.url for x in self.provider.redirect_uris]
cors_allow(self.request, response, *allowed_origins)
return response

2
authentik/providers/oauth2/views/userinfo.py
View File

@ -108,7 +108,7 @@ class UserInfoView(View):
response = super().dispatch(request, *args, **kwargs)
allowed_origins = []
if self.token:
allowed_origins = self.token.provider.redirect_uris.split("\n")
allowed_origins = [x.url for x in self.token.provider.redirect_uris]
cors_allow(self.request, response, *allowed_origins)
return response

1
authentik/providers/proxy/api.py
View File

@ -121,7 +121,6 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
"basic_auth_password_attribute": ["iexact"],
"basic_auth_user_attribute": ["iexact"],
"mode": ["iexact"],
"redirect_uris": ["iexact"],
"cookie_domain": ["iexact"],
}
search_fields = ["name"]

21
authentik/providers/proxy/models.py
View File

@ -13,7 +13,13 @@ from rest_framework.serializers import Serializer
from authentik.crypto.models import CertificateKeyPair
from authentik.lib.models import DomainlessURLValidator
from authentik.outposts.models import OutpostModel
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
SCOPE_AK_PROXY = "ak_proxy"
OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@ -24,14 +30,15 @@ def get_cookie_secret():
return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
def _get_callback_url(uri: str) -> str:
return "\n".join(
[
def _get_callback_url(uri: str) -> list[RedirectURI]:
return [
RedirectURI(
RedirectURIMatchingMode.STRICT,
urljoin(uri, "outpost.goauthentik.io/callback")
+ f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
]
)
),
RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true"),
]
class ProxyMode(models.TextChoices):

27
blueprints/schema.json
View File

@ -5570,9 +5570,30 @@
"description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
},
"redirect_uris": {
"type": "string",
"title": "Redirect URIs",
"description": "Enter each URI on a new line."
"type": "array",
"items": {
"type": "object",
"properties": {
"matching_mode": {
"type": "string",
"enum": [
"strict",
"regex"
],
"title": "Matching mode"
},
"url": {
"type": "string",
"minLength": 1,
"title": "Url"
}
},
"required": [
"matching_mode",
"url"
]
},
"title": "Redirect uris"
},
"sub_mode": {
"type": "string",

53
schema.yml
View File

@ -20224,10 +20224,6 @@ paths:
format: uuid
explode: true
style: form
- in: query
name: redirect_uris
schema:
type: string
- in: query
name: refresh_token_validity
schema:
@ -20643,10 +20639,6 @@ paths:
format: uuid
explode: true
style: form
- in: query
name: redirect_uris__iexact
schema:
type: string
- name: search
required: false
in: query
@ -44074,6 +44066,11 @@ components:
required:
- challenge
- name
MatchingModeEnum:
enum:
- strict
- regex
type: string
Metadata:
type: object
description: Serializer for blueprint metadata
@ -44776,8 +44773,9 @@ components:
description: Key used to encrypt the tokens. When set, tokens will be encrypted
and returned as JWEs.
redirect_uris:
type: string
description: Enter each URI on a new line.
type: array
items:
$ref: '#/components/schemas/RedirectURI'
sub_mode:
allOf:
- $ref: '#/components/schemas/SubModeEnum'
@ -44806,6 +44804,7 @@ components:
- meta_model_name
- name
- pk
- redirect_uris
- verbose_name
- verbose_name_plural
OAuth2ProviderRequest:
@ -44877,8 +44876,9 @@ components:
description: Key used to encrypt the tokens. When set, tokens will be encrypted
and returned as JWEs.
redirect_uris:
type: string
description: Enter each URI on a new line.
type: array
items:
$ref: '#/components/schemas/RedirectURIRequest'
sub_mode:
allOf:
- $ref: '#/components/schemas/SubModeEnum'
@ -44900,6 +44900,7 @@ components:
- authorization_flow
- invalidation_flow
- name
- redirect_uris
OAuth2ProviderSetupURLs:
type: object
description: OAuth2 Provider Metadata serializer
@ -48898,8 +48899,9 @@ components:
description: Key used to encrypt the tokens. When set, tokens will be encrypted
and returned as JWEs.
redirect_uris:
type: string
description: Enter each URI on a new line.
type: array
items:
$ref: '#/components/schemas/RedirectURIRequest'
sub_mode:
allOf:
- $ref: '#/components/schemas/SubModeEnum'
@ -52092,6 +52094,29 @@ components:
type: string
required:
- to
RedirectURI:
type: object
description: A single allowed redirect URI entry
properties:
matching_mode:
$ref: '#/components/schemas/MatchingModeEnum'
url:
type: string
required:
- matching_mode
- url
RedirectURIRequest:
type: object
description: A single allowed redirect URI entry
properties:
matching_mode:
$ref: '#/components/schemas/MatchingModeEnum'
url:
type: string
minLength: 1
required:
- matching_mode
- url
Reputation:
type: object
description: Reputation Serializer

19
tests/e2e/test_provider_oauth2_github.py
View File

@ -12,7 +12,12 @@ from authentik.flows.models import Flow
from authentik.lib.generators import generate_id, generate_key
from authentik.policies.expression.models import ExpressionPolicy
from authentik.policies.models import PolicyBinding
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider
from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
)
from tests.e2e.utils import SeleniumTestCase, retry
@ -73,7 +78,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
client_type=ClientTypes.CONFIDENTIAL,
redirect_uris="http://localhost:3000/login/github",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
],
authorization_flow=authorization_flow,
)
Application.objects.create(
@ -128,7 +135,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
client_type=ClientTypes.CONFIDENTIAL,
redirect_uris="http://localhost:3000/login/github",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
],
authorization_flow=authorization_flow,
)
app = Application.objects.create(
@ -199,7 +208,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
client_type=ClientTypes.CONFIDENTIAL,
redirect_uris="http://localhost:3000/login/github",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
],
authorization_flow=authorization_flow,
)
app = Application.objects.create(

34
tests/e2e/test_provider_oauth2_grafana.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_EMAIL,
SCOPE_OPENID_PROFILE,
)
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from tests.e2e.utils import SeleniumTestCase, retry
@ -82,7 +88,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/")],
authorization_flow=authorization_flow,
)
provider.property_mappings.set(
@ -131,7 +137,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth",
redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
authorization_flow=authorization_flow,
)
provider.property_mappings.set(
@ -200,7 +210,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth",
redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
authorization_flow=authorization_flow,
invalidation_flow=invalidation_flow,
)
@ -275,7 +289,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth",
redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(
@ -355,7 +373,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth",
redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(

22
tests/e2e/test_provider_oidc.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_EMAIL,
SCOPE_OPENID_PROFILE,
)
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from tests.e2e.utils import SeleniumTestCase, retry
@ -67,7 +73,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
authorization_flow=authorization_flow,
)
provider.property_mappings.set(
@ -116,7 +122,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/auth/callback",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
],
authorization_flow=authorization_flow,
)
provider.property_mappings.set(
@ -188,7 +196,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/auth/callback",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(
@ -259,7 +269,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/auth/callback",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(

22
tests/e2e/test_provider_oidc_implicit.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_EMAIL,
SCOPE_OPENID_PROFILE,
)
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from tests.e2e.utils import SeleniumTestCase, retry
@ -68,7 +74,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/",
redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
authorization_flow=authorization_flow,
)
provider.property_mappings.set(
@ -117,7 +123,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/implicit/",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
],
authorization_flow=authorization_flow,
)
provider.property_mappings.set(
@ -170,7 +178,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/implicit/",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(
@ -238,7 +248,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id,
client_secret=self.client_secret,
signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/implicit/",
redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
],
)
provider.property_mappings.set(
ScopeMapping.objects.filter(

45
web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
View File

@ -1,11 +1,16 @@
import "@goauthentik/admin/common/ak-crypto-certificate-search";
import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
import {
IRedirectURIInput,
akOAuthRedirectURIInput,
} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
import "@goauthentik/components/ak-radio-input";
import "@goauthentik/components/ak-text-input";
import "@goauthentik/components/ak-textarea-input";
import "@goauthentik/elements/ak-array-input.js";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
import "@goauthentik/elements/forms/FormGroup";
@ -15,7 +20,7 @@ import "@goauthentik/elements/forms/SearchSelect";
import "@goauthentik/elements/utils/TimeDeltaHelp";
import { msg } from "@lit/localize";
import { TemplateResult, html } from "lit";
import { TemplateResult, css, html } from "lit";
import { customElement, state } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
@ -23,8 +28,10 @@ import {
ClientTypeEnum,
FlowsInstancesListDesignationEnum,
IssuerModeEnum,
MatchingModeEnum,
OAuth2Provider,
ProvidersApi,
RedirectURI,
SubModeEnum,
} from "@goauthentik/api";
@ -98,13 +105,13 @@ export const issuerModeOptions = [
const redirectUriHelpMessages = [
msg(
"Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.",
"Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
),
msg(
"If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
),
msg(
'To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.',
'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
),
];
@ -124,11 +131,23 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
@state()
showClientSecret = true;
@state()
redirectUris: RedirectURI[] = [];
static get styles() {
return super.styles.concat(css`
ak-array-input {
width: 100%;
}
`);
}
async loadInstance(pk: number): Promise<OAuth2Provider> {
const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({
id: pk,
});
this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
this.redirectUris = provider.redirectUris;
return provider;
}
@ -203,13 +222,23 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
?hidden=${!this.showClientSecret}
>
</ak-text-input>
<ak-textarea-input
<ak-form-element-horizontal
label=${msg("Redirect URIs/Origins")}
required
name="redirectUris"
label=${msg("Redirect URIs/Origins (RegEx)")}
.value=${provider?.redirectUris}
.bighelp=${redirectUriHelp}
>
</ak-textarea-input>
<ak-array-input
.items=${this.instance?.redirectUris ?? []}
.newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
.row=${(f?: RedirectURI) =>
akOAuthRedirectURIInput({
".redirectURI": f,
"style": "width: 100%",
} as unknown as IRedirectURIInput)}
>
</ak-array-input>
${redirectUriHelp}
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
<!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->

104
web/src/admin/providers/oauth2/OAuth2ProviderRedirectURI.ts Normal file
View File

@ -0,0 +1,104 @@
import "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
import { type Spread } from "@goauthentik/elements/types";
import { spread } from "@open-wc/lit-helpers";
import { msg } from "@lit/localize";
import { css, html } from "lit";
import { customElement, property, queryAll } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
import { MatchingModeEnum, RedirectURI } from "@goauthentik/api";
export interface IRedirectURIInput {
redirectURI: RedirectURI;
}
@customElement("ak-provider-oauth2-redirect-uri")
export class OAuth2ProviderRedirectURI extends AkControlElement<RedirectURI> {
static get styles() {
return [
PFBase,
PFInputGroup,
PFFormControl,
css`
.pf-c-input-group select {
width: 10em;
}
`,
];
}
@property({ type: Object, attribute: false })
redirectURI: RedirectURI = {
matchingMode: MatchingModeEnum.Strict,
url: "",
};
@queryAll(".ak-form-control")
controls?: HTMLInputElement[];
json() {
return Object.fromEntries(
Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
) as unknown as RedirectURI;
}
get isValid() {
return true;
}
render() {
const onChange = () => {
this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
};
return html`<div class="pf-c-input-group">
<select
name="matchingMode"
class="pf-c-form-control ak-form-control"
@change=${onChange}
>
<option
value="${MatchingModeEnum.Strict}"
?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Strict}
>
${msg("Strict")}
</option>
<option
value="${MatchingModeEnum.Regex}"
?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Regex}
>
${msg("Regex")}
</option>
</select>
<input
type="text"
@change=${onChange}
value="${ifDefined(this.redirectURI.url ?? undefined)}"
class="pf-c-form-control ak-form-control"
required
id="url"
placeholder=${msg("URL")}
name="href"
tabindex="1"
/>
</div>`;
}
}
export function akOAuthRedirectURIInput(properties: IRedirectURIInput) {
return html`<ak-provider-oauth2-redirect-uri
${spread(properties as unknown as Spread)}
></ak-provider-oauth2-redirect-uri>`;
}
declare global {
interface HTMLElementTagNameMap {
"ak-provider-oauth2-redirect-uri": OAuth2ProviderRedirectURI;
}
}

14
web/src/elements/forms/HorizontalFormElement.ts
View File

@ -2,7 +2,7 @@ import { convertToSlug } from "@goauthentik/common/utils";
import { AKElement } from "@goauthentik/elements/Base";
import { FormGroup } from "@goauthentik/elements/forms/FormGroup";
import { msg } from "@lit/localize";
import { msg, str } from "@lit/localize";
import { CSSResult, css } from "lit";
import { TemplateResult, html } from "lit";
import { customElement, property } from "lit/decorators.js";
@ -86,7 +86,7 @@ export class HorizontalFormElement extends AKElement {
writeOnlyActivated = false;
@property({ attribute: false })
errorMessages: string[] = [];
errorMessages: string[] | string[][] = [];
@property({ type: Boolean })
slugMode = false;
@ -183,6 +183,16 @@ export class HorizontalFormElement extends AKElement {
</p>`
: html``}
${this.errorMessages.map((message) => {
if (message instanceof Object) {
return html`${Object.entries(message).map(([field, errMsg]) => {
return html`<p
class="pf-c-form__helper-text pf-m-error"
aria-live="polite"
>
${msg(str`${field}: ${errMsg}`)}
</p>`;
})}`;
}
return html`<p class="pf-c-form__helper-text pf-m-error" aria-live="polite">
${message}
</p>`;

30
website/docs/security/cves/CVE-2024-52289.md Normal file
View File

@ -0,0 +1,30 @@
# CVE-2024-52289
_Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
## Insecure default configuration for OAuth2 Redirect URIs
### Summary
Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
### Patches
authentik 2024.8.5 and 2024.10.3 fix this issue.
The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
### Workarounds
When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`.
### For more information
If you have any questions or comments about this advisory:
- Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

1
website/sidebars.js
View File

@ -659,6 +659,7 @@ export default {
label: "2024",
items: [
"security/cves/CVE-2024-52307",
"security/cves/CVE-2024-52289",
"security/cves/CVE-2024-52287",
"security/cves/CVE-2024-47077",
"security/cves/CVE-2024-47070",