habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/oauth2: token revoke (#3077)

Browse Source
This commit is contained in:
Jens L
2022-06-11 18:49:16 +02:00
committed by GitHub
parent 24a21c1761
commit 8dbb0bd2c6
12 changed files with 359 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
authentik/providers/oauth2/errors.py
View File

@ -95,38 +95,45 @@ class TokenIntrospectionError(OAuth2Error):
class AuthorizeError(OAuth2Error):
"""General Authorization Errors"""
_errors = {
errors = {
# OAuth2 errors.
# https://tools.ietf.org/html/rfc6749#section-4.1.2.1
"invalid_request": "The request is otherwise malformed",
"unauthorized_client": "The client is not authorized to request an "
"authorization code using this method",
"access_denied": "The resource owner or authorization server denied " "the request",
"unsupported_response_type": "The authorization server does not "
"support obtaining an authorization code "
"using this method",
"invalid_scope": "The requested scope is invalid, unknown, or " "malformed",
"unauthorized_client": (
"The client is not authorized to request an authorization code using this method"
),
"access_denied": "The resource owner or authorization server denied the request",
"unsupported_response_type": (
"The authorization server does not support obtaining an authorization code "
"using this method"
),
"invalid_scope": "The requested scope is invalid, unknown, or malformed",
"server_error": "The authorization server encountered an error",
"temporarily_unavailable": "The authorization server is currently "
"unable to handle the request due to a "
"temporary overloading or maintenance of "
"the server",
"temporarily_unavailable": (
"The authorization server is currently unable to handle the request due to a "
"temporary overloading or maintenance of the server"
),
# OpenID errors.
# http://openid.net/specs/openid-connect-core-1_0.html#AuthError
"interaction_required": "The Authorization Server requires End-User "
"interaction of some form to proceed",
"login_required": "The Authorization Server requires End-User " "authentication",
"account_selection_required": "The End-User is required to select a "
"session at the Authorization Server",
"consent_required": "The Authorization Server requires End-User" "consent",
"invalid_request_uri": "The request_uri in the Authorization Request "
"returns an error or contains invalid data",
"invalid_request_object": "The request parameter contains an invalid " "Request Object",
"request_not_supported": "The provider does not support use of the " "request parameter",
"request_uri_not_supported": "The provider does not support use of the "
"request_uri parameter",
"registration_not_supported": "The provider does not support use of "
"the registration parameter",
"interaction_required": (
"The Authorization Server requires End-User interaction of some form to proceed"
),
"login_required": "The Authorization Server requires End-User authentication",
"account_selection_required": (
"The End-User is required to select a session at the Authorization Server"
),
"consent_required": "The Authorization Server requires End-Userconsent",
"invalid_request_uri": (
"The request_uri in the Authorization Request returns an error or contains invalid data"
),
"invalid_request_object": "The request parameter contains an invalid Request Object",
"request_not_supported": "The provider does not support use of the request parameter",
"request_uri_not_supported": (
"The provider does not support use of the request_uri parameter"
),
"registration_not_supported": (
"The provider does not support use of the registration parameter"
),
}
def __init__(
@ -138,7 +145,7 @@ class AuthorizeError(OAuth2Error):
):
super().__init__()
self.error = error
self.description = self._errors[error]
self.description = self.errors[error]
self.redirect_uri = redirect_uri
self.grant_type = grant_type
self.state = state
@ -170,19 +177,25 @@ class TokenError(OAuth2Error):
errors = {
"invalid_request": "The request is otherwise malformed",
"invalid_client": "Client authentication failed (e.g., unknown client, "
"no client authentication included, or unsupported "
"authentication method)",
"invalid_grant": "The provided authorization grant or refresh token is "
"invalid, expired, revoked, does not match the "
"redirection URI used in the authorization request, "
"or was issued to another client",
"unauthorized_client": "The authenticated client is not authorized to "
"use this authorization grant type",
"unsupported_grant_type": "The authorization grant type is not "
"supported by the authorization server",
"invalid_scope": "The requested scope is invalid, unknown, malformed, "
"or exceeds the scope granted by the resource owner",
"invalid_client": (
"Client authentication failed (e.g., unknown client, no client authentication "
"included, or unsupported authentication method)"
),
"invalid_grant": (
"The provided authorization grant or refresh token is invalid, expired, revoked, "
"does not match the redirection URI used in the authorization request, "
"or was issued to another client"
),
"unauthorized_client": (
"The authenticated client is not authorized to use this authorization grant type"
),
"unsupported_grant_type": (
"The authorization grant type is not supported by the authorization server"
),
"invalid_scope": (
"The requested scope is invalid, unknown, malformed, or exceeds the scope "
"granted by the resource owner"
),
}
def __init__(self, error):
@ -191,17 +204,39 @@ class TokenError(OAuth2Error):
self.description = self.errors[error]
class TokenRevocationError(OAuth2Error):
"""
Specific to the revocation endpoint.
See https://tools.ietf.org/html/rfc7662
"""
errors = TokenError.errors | {
"unsupported_token_type": (
"The authorization server does not support the revocation of the presented "
"token type. That is, the client tried to revoke an access token on a server not"
"supporting this feature."
)
}
def __init__(self, error: str):
super().__init__()
self.error = error
self.description = self.errors[error]
class BearerTokenError(OAuth2Error):
"""
OAuth2 errors.
https://tools.ietf.org/html/rfc6750#section-3.1
"""
_errors = {
errors = {
"invalid_request": ("The request is otherwise malformed", 400),
"invalid_token": (
"The access token provided is expired, revoked, malformed, "
"or invalid for other reasons",
(
"The access token provided is expired, revoked, malformed, "
"or invalid for other reasons"
),
401,
),
"insufficient_scope": (
@ -213,6 +248,6 @@ class BearerTokenError(OAuth2Error):
def __init__(self, code):
super().__init__()
self.code = code
error_tuple = self._errors.get(code, ("", ""))
error_tuple = self.errors.get(code, ("", ""))
self.description = error_tuple[0]
self.status = error_tuple[1]

98
authentik/providers/oauth2/tests/test_introspect.py Normal file
View File

@ -0,0 +1,98 @@
"""Test introspect view"""
import json
from base64 import b64encode
from dataclasses import asdict
from django.urls import reverse
from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_id, generate_key
from authentik.providers.oauth2.models import IDToken, OAuth2Provider, RefreshToken
from authentik.providers.oauth2.tests.utils import OAuthTestCase
class TesOAuth2Introspection(OAuthTestCase):
"""Test introspect view"""
def setUp(self) -> None:
super().setUp()
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(),
client_id=generate_id(),
client_secret=generate_key(),
authorization_flow=create_test_flow(),
redirect_uris="",
signing_key=create_test_cert(),
)
self.app = Application.objects.create(
name=generate_id(), slug=generate_id(), provider=self.provider
)
self.app.save()
self.user = create_test_admin_user()
self.token: RefreshToken = RefreshToken.objects.create(
provider=self.provider,
user=self.user,
access_token=generate_id(),
refresh_token=generate_id(),
_scope="openid user profile",
_id_token=json.dumps(
asdict(
IDToken("foo", "bar"),
)
),
)
self.auth = b64encode(
f"{self.provider.client_id}:{self.provider.client_secret}".encode()
).decode()
def test_introspect(self):
"""Test introspect"""
res = self.client.post(
reverse("authentik_providers_oauth2:token-introspection"),
HTTP_AUTHORIZATION=f"Basic {self.auth}",
data={"token": self.token.refresh_token, "token_type_hint": "refresh_token"},
)
self.assertEqual(res.status_code, 200)
self.assertJSONEqual(
res.content.decode(),
{
"aud": None,
"sub": "bar",
"exp": None,
"iat": None,
"iss": "foo",
"active": True,
"client_id": self.provider.client_id,
},
)
def test_introspect_invalid_token(self):
"""Test introspect (invalid token)"""
res = self.client.post(
reverse("authentik_providers_oauth2:token-introspection"),
HTTP_AUTHORIZATION=f"Basic {self.auth}",
data={"token": generate_id(), "token_type_hint": "refresh_token"},
)
self.assertEqual(res.status_code, 200)
self.assertJSONEqual(
res.content.decode(),
{
"active": False,
},
)
def test_introspect_invalid_auth(self):
"""Test introspect (invalid auth)"""
res = self.client.post(
reverse("authentik_providers_oauth2:token-introspection"),
HTTP_AUTHORIZATION="Basic qwerqrwe",
data={"token": generate_id(), "token_type_hint": "refresh_token"},
)
self.assertEqual(res.status_code, 200)
self.assertJSONEqual(
res.content.decode(),
{
"active": False,
},
)

74
authentik/providers/oauth2/tests/test_revoke.py Normal file
View File

@ -0,0 +1,74 @@
"""Test revoke view"""
import json
from base64 import b64encode
from dataclasses import asdict
from django.urls import reverse
from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_id, generate_key
from authentik.providers.oauth2.models import IDToken, OAuth2Provider, RefreshToken
from authentik.providers.oauth2.tests.utils import OAuthTestCase
class TesOAuth2Revoke(OAuthTestCase):
"""Test revoke view"""
def setUp(self) -> None:
super().setUp()
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(),
client_id=generate_id(),
client_secret=generate_key(),
authorization_flow=create_test_flow(),
redirect_uris="",
signing_key=create_test_cert(),
)
self.app = Application.objects.create(
name=generate_id(), slug=generate_id(), provider=self.provider
)
self.app.save()
self.user = create_test_admin_user()
self.token: RefreshToken = RefreshToken.objects.create(
provider=self.provider,
user=self.user,
access_token=generate_id(),
refresh_token=generate_id(),
_scope="openid user profile",
_id_token=json.dumps(
asdict(
IDToken("foo", "bar"),
)
),
)
self.auth = b64encode(
f"{self.provider.client_id}:{self.provider.client_secret}".encode()
).decode()
def test_revoke(self):
"""Test revoke"""
res = self.client.post(
reverse("authentik_providers_oauth2:token-revoke"),
HTTP_AUTHORIZATION=f"Basic {self.auth}",
data={"token": self.token.refresh_token, "token_type_hint": "refresh_token"},
)
self.assertEqual(res.status_code, 200)
def test_revoke_invalid(self):
"""Test revoke (invalid token)"""
res = self.client.post(
reverse("authentik_providers_oauth2:token-revoke"),
HTTP_AUTHORIZATION=f"Basic {self.auth}",
data={"token": self.token.refresh_token + "foo", "token_type_hint": "refresh_token"},
)
self.assertEqual(res.status_code, 200)
def test_revoke_invalid_auth(self):
"""Test revoke (invalid auth)"""
res = self.client.post(
reverse("authentik_providers_oauth2:token-revoke"),
HTTP_AUTHORIZATION="Basic fqewr",
data={"token": self.token.refresh_token, "token_type_hint": "refresh_token"},
)
self.assertEqual(res.status_code, 401)

4
authentik/providers/oauth2/tests/test_userinfo.py
View File

@ -19,9 +19,9 @@ class TestUserinfo(OAuthTestCase):
def setUp(self) -> None:
super().setUp()
ObjectManager().run()
self.app = Application.objects.create(name="test", slug="test")
self.app = Application.objects.create(name=generate_id(), slug=generate_id())
self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name="test",
name=generate_id(),
client_id=generate_id(),
client_secret=generate_key(),
authorization_flow=create_test_flow(),

6
authentik/providers/oauth2/urls.py
View File

@ -10,6 +10,7 @@ from authentik.providers.oauth2.views.introspection import TokenIntrospectionVie
from authentik.providers.oauth2.views.jwks import JWKSView
from authentik.providers.oauth2.views.provider import ProviderInfoView
from authentik.providers.oauth2.views.token import TokenView
from authentik.providers.oauth2.views.token_revoke import TokenRevokeView
from authentik.providers.oauth2.views.userinfo import UserInfoView
urlpatterns = [
@ -29,6 +30,11 @@ urlpatterns = [
csrf_exempt(TokenIntrospectionView.as_view()),
name="token-introspection",
),
path(
"revoke/",
csrf_exempt(TokenRevokeView.as_view()),
name="token-revoke",
),
path(
"<slug:application_slug>/end-session/",
RedirectView.as_view(pattern_name="authentik_core:if-session-end"),

16
authentik/providers/oauth2/utils.py
View File

@ -12,7 +12,7 @@ from structlog.stdlib import get_logger
from authentik.events.models import Event, EventAction
from authentik.providers.oauth2.errors import BearerTokenError
from authentik.providers.oauth2.models import RefreshToken
from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
LOGGER = get_logger()
@ -172,6 +172,20 @@ def protected_resource_view(scopes: list[str]):
return wrapper
def authenticate_provider(request: HttpRequest) -> Optional[OAuth2Provider]:
"""Attempt to authenticate via Basic auth of client_id:client_secret"""
client_id, client_secret = extract_client_auth(request)
if client_id == client_secret == "":
return None
provider: Optional[OAuth2Provider] = OAuth2Provider.objects.filter(client_id=client_id).first()
if not provider:
return None
if client_id != provider.client_id or client_secret != provider.client_secret:
LOGGER.debug("(basic) Provider for basic auth does not exist")
return None
return provider
class HttpResponseRedirectScheme(HttpResponseRedirect):
"""HTTP Response to redirect, can be to a non-http scheme"""

47
authentik/providers/oauth2/views/introspection.py
View File

@ -7,11 +7,7 @@ from structlog.stdlib import get_logger
from authentik.providers.oauth2.errors import TokenIntrospectionError
from authentik.providers.oauth2.models import IDToken, OAuth2Provider, RefreshToken
from authentik.providers.oauth2.utils import (
TokenResponse,
extract_access_token,
extract_client_auth,
)
from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider
LOGGER = get_logger()
@ -21,8 +17,8 @@ class TokenIntrospectionParams:
"""Parameters for Token Introspection"""
token: RefreshToken
provider: OAuth2Provider
provider: OAuth2Provider = field(init=False)
id_token: IDToken = field(init=False)
def __post_init__(self):
@ -30,7 +26,6 @@ class TokenIntrospectionParams:
LOGGER.debug("Token is not valid")
raise TokenIntrospectionError()
self.provider = self.token.provider
self.id_token = self.token.id_token
if not self.token.id_token:
@ -40,30 +35,6 @@ class TokenIntrospectionParams:
)
raise TokenIntrospectionError()
def authenticate_basic(self, request: HttpRequest) -> bool:
"""Attempt to authenticate via Basic auth of client_id:client_secret"""
client_id, client_secret = extract_client_auth(request)
if client_id == client_secret == "":
return False
if client_id != self.provider.client_id or client_secret != self.provider.client_secret:
LOGGER.debug("(basic) Provider for basic auth does not exist")
raise TokenIntrospectionError()
return True
def authenticate_bearer(self, request: HttpRequest) -> bool:
"""Attempt to authenticate via token sent as bearer header"""
body_token = extract_access_token(request)
if not body_token:
return False
tokens = RefreshToken.objects.filter(access_token=body_token).select_related("provider")
if not tokens.exists():
LOGGER.debug("(bearer) Token does not exist")
raise TokenIntrospectionError()
if tokens.first().provider != self.provider:
LOGGER.debug("(bearer) Token providers don't match")
raise TokenIntrospectionError()
return True
@staticmethod
def from_request(request: HttpRequest) -> "TokenIntrospectionParams":
"""Extract required Parameters from HTTP Request"""
@ -75,19 +46,17 @@ class TokenIntrospectionParams:
LOGGER.debug("token_type_hint has invalid value", value=token_type_hint)
raise TokenIntrospectionError()
provider = authenticate_provider(request)
if not provider:
raise TokenIntrospectionError
try:
token: RefreshToken = RefreshToken.objects.select_related("provider").get(
**token_filter
)
token: RefreshToken = RefreshToken.objects.get(provider=provider, **token_filter)
except RefreshToken.DoesNotExist:
LOGGER.debug("Token does not exist", token=raw_token)
raise TokenIntrospectionError()
params = TokenIntrospectionParams(token=token)
if not any([params.authenticate_basic(request), params.authenticate_bearer(request)]):
LOGGER.warning("Not authenticated")
raise TokenIntrospectionError()
return params
return TokenIntrospectionParams(token=token, provider=provider)
class TokenIntrospectionView(View):

3
authentik/providers/oauth2/views/provider.py
View File

@ -58,6 +58,9 @@ class ProviderInfoView(View):
"introspection_endpoint": self.request.build_absolute_uri(
reverse("authentik_providers_oauth2:token-introspection")
),
"revocation_endpoint": self.request.build_absolute_uri(
reverse("authentik_providers_oauth2:token-revoke")
),
"response_types_supported": [
ResponseTypes.CODE,
ResponseTypes.ID_TOKEN,

66
authentik/providers/oauth2/views/token_revoke.py Normal file
View File

@ -0,0 +1,66 @@
"""Token revocation endpoint"""
from dataclasses import dataclass
from django.http import Http404, HttpRequest, HttpResponse
from django.views import View
from structlog.stdlib import get_logger
from authentik.providers.oauth2.errors import TokenRevocationError
from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
from authentik.providers.oauth2.utils import TokenResponse, authenticate_provider
LOGGER = get_logger()
@dataclass
class TokenRevocationParams:
"""Parameters for Token Revocation"""
token: RefreshToken
provider: OAuth2Provider
@staticmethod
def from_request(request: HttpRequest) -> "TokenRevocationParams":
"""Extract required Parameters from HTTP Request"""
raw_token = request.POST.get("token")
token_type_hint = request.POST.get("token_type_hint", "access_token")
token_filter = {token_type_hint: raw_token}
if token_type_hint not in ["access_token", "refresh_token"]:
LOGGER.debug("token_type_hint has invalid value", value=token_type_hint)
raise TokenRevocationError("unsupported_token_type")
provider = authenticate_provider(request)
if not provider:
raise TokenRevocationError("invalid_client")
try:
token: RefreshToken = RefreshToken.objects.get(provider=provider, **token_filter)
except RefreshToken.DoesNotExist:
LOGGER.debug("Token does not exist", token=raw_token)
raise Http404
return TokenRevocationParams(token=token, provider=provider)
class TokenRevokeView(View):
"""Token revoke endpoint
https://datatracker.ietf.org/doc/html/rfc7009"""
token: RefreshToken
params: TokenRevocationParams
provider: OAuth2Provider
def post(self, request: HttpRequest) -> HttpResponse:
"""Revocation handler"""
try:
self.params = TokenRevocationParams.from_request(request)
self.params.token.delete()
return TokenResponse(data={}, status=200)
except TokenRevocationError as exc:
return TokenResponse(exc.create_dict(), status=401)
except Http404:
# Token not found should return a HTTP 200 according to the specs
return TokenResponse(data={}, status=200)

2
tests/e2e/test_provider_oauth2_oidc.py
View File

@ -142,6 +142,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
self.driver.get("http://localhost:9009")
self.login()
self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
self.wait.until(ec.text_to_be_present_in_element((By.CSS_SELECTOR, "pre"), "{"))
body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
self.assertEqual(body["IDTokenClaims"]["nickname"], self.user.username)
@ -206,6 +207,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
).click()
self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
self.wait.until(ec.text_to_be_present_in_element((By.CSS_SELECTOR, "pre"), "{"))
body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
self.assertEqual(body["IDTokenClaims"]["nickname"], self.user.username)

10
tests/e2e/test_provider_oauth2_oidc_implicit.py
View File

@ -140,10 +140,10 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
self.container = self.setup_client()
self.driver.get("http://localhost:9009/implicit/")
sleep(2)
self.wait.until(ec.title_contains("authentik"))
self.login()
self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
sleep(1)
self.wait.until(ec.text_to_be_present_in_element((By.CSS_SELECTOR, "pre"), "{"))
body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
self.assertEqual(body["profile"]["nickname"], self.user.username)
self.assertEqual(body["profile"]["name"], self.user.name)
@ -185,7 +185,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
self.container = self.setup_client()
self.driver.get("http://localhost:9009/implicit/")
sleep(2)
self.wait.until(ec.title_contains("authentik"))
self.login()
self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "ak-flow-executor")))
@ -203,7 +203,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
).click()
self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
sleep(1)
self.wait.until(ec.text_to_be_present_in_element((By.CSS_SELECTOR, "pre"), "{"))
body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
self.assertEqual(body["profile"]["nickname"], self.user.username)
@ -250,7 +250,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
self.container = self.setup_client()
self.driver.get("http://localhost:9009/implicit/")
sleep(2)
self.wait.until(ec.title_contains("authentik"))
self.login()
self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1")))
self.assertEqual(

1
website/docs/providers/oauth2/index.md
View File

@ -11,6 +11,7 @@ Scopes can be configured using Scope Mappings, a type of [Property Mappings](../
| Authorization | `/application/o/authorize/` |
| Token | `/application/o/token/` |
| User Info | `/application/o/userinfo/` |
| Token Revoke | `/application/o/revoke/` |
| End Session | `/application/o/<application slug>/end-session/` |
| JWKS | `/application/o/<application slug>/jwks/` |
| OpenID Configuration | `/application/o/<application slug>/.well-known/openid-configuration` |