From 906faf9cce7f3e429f9d902e8240b65bd2f2ba67 Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Wed, 10 May 2023 20:58:44 +0200
Subject: [PATCH] providers/proxy: fix panic when claims in session were nil
 (#5569)

* providers/proxy: fix panic when claims in session were nil

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add new options

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../0016_alter_refreshtoken_token.py          | 22 +++++++++++++++++++
 .../outpost/proxyv2/application/session.go    |  4 ++++
 2 files changed, 26 insertions(+)

diff --git a/authentik/providers/oauth2/migrations/0016_alter_refreshtoken_token.py b/authentik/providers/oauth2/migrations/0016_alter_refreshtoken_token.py
index d65438e203..1d68416bf6 100644
--- a/authentik/providers/oauth2/migrations/0016_alter_refreshtoken_token.py
+++ b/authentik/providers/oauth2/migrations/0016_alter_refreshtoken_token.py
@@ -21,4 +21,26 @@ class Migration(migrations.Migration):
                 default=authentik.providers.oauth2.models.generate_client_secret
             ),
         ),
+        migrations.AlterField(
+            model_name="oauth2provider",
+            name="sub_mode",
+            field=models.TextField(
+                choices=[
+                    ("hashed_user_id", "Based on the Hashed User ID"),
+                    ("user_id", "Based on user ID"),
+                    ("user_uuid", "Based on user UUID"),
+                    ("user_username", "Based on the username"),
+                    (
+                        "user_email",
+                        "Based on the User's Email. This is recommended over the UPN method.",
+                    ),
+                    (
+                        "user_upn",
+                        "Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains.",
+                    ),
+                ],
+                default="hashed_user_id",
+                help_text="Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
+            ),
+        ),
     ]
diff --git a/internal/outpost/proxyv2/application/session.go b/internal/outpost/proxyv2/application/session.go
index 55510da44b..e97c581e62 100644
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@@ -94,6 +94,10 @@ func (a *Application) Logout(sub string) error {
 				a.log.WithError(err).Trace("failed to decode session")
 				continue
 			}
+			rc, ok := s.Values[constants.SessionClaims]
+			if !ok || rc == nil {
+				continue
+			}
 			claims := s.Values[constants.SessionClaims].(Claims)
 			if claims.Sub == sub {
 				a.log.WithField("path", fullPath).Trace("deleting session")