habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/oauth2: allow blank redirect_uris to allow any redirect_uri

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
2021-07-08 19:28:35 +02:00
parent 85f88e785f
commit 90fe1c2ce8
6 changed files with 1810 additions and 1770 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -67,7 +67,7 @@ class TestAuthorize(OAuthTestCase):
) )
OAuthAuthorizationParams.from_request(request) OAuthAuthorizationParams.from_request(request)
def test_redirect_uri(self): def test_invalid_redirect_uri(self):
"""test missing/invalid redirect URI""" """test missing/invalid redirect URI"""
OAuth2Provider.objects.create( OAuth2Provider.objects.create(
name="test", name="test",
@ -91,6 +91,28 @@ class TestAuthorize(OAuthTestCase):
) )
OAuthAuthorizationParams.from_request(request) OAuthAuthorizationParams.from_request(request)
def test_empty_redirect_uri(self):
"""test empty redirect URI (configure in provider)"""
OAuth2Provider.objects.create(
name="test",
client_id="test",
authorization_flow=Flow.objects.first(),
)
with self.assertRaises(RedirectUriError):
request = self.factory.get(
"/", data={"response_type": "code", "client_id": "test"}
)
OAuthAuthorizationParams.from_request(request)
request = self.factory.get(
"/",
data={
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://localhost",
},
)
OAuthAuthorizationParams.from_request(request)
def test_response_type(self): def test_response_type(self):
"""test response_type""" """test response_type"""
OAuth2Provider.objects.create( OAuth2Provider.objects.create(

19
authentik/providers/oauth2/views/authorize.py
View File

@ -156,20 +156,23 @@ class OAuthAuthorizationParams:
def check_redirect_uri(self): def check_redirect_uri(self):
"""Redirect URI validation.""" """Redirect URI validation."""
allowed_redirect_urls = self.provider.redirect_uris.split()
if not self.redirect_uri: if not self.redirect_uri:
LOGGER.warning("Missing redirect uri.") LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", self.provider.redirect_uris.split()) raise RedirectUriError("", allowed_redirect_urls)
if self.redirect_uri.lower() not in [ if len(allowed_redirect_urls) < 1:
x.lower() for x in self.provider.redirect_uris.split() LOGGER.warning(
]: "Provider has no allowed redirect_uri set, allowing all.",
allow=self.redirect_uri.lower(),
)
return
if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning( LOGGER.warning(
"Invalid redirect uri", "Invalid redirect uri",
redirect_uri=self.redirect_uri, redirect_uri=self.redirect_uri,
excepted=self.provider.redirect_uris.split(), excepted=allowed_redirect_urls,
)
raise RedirectUriError(
self.redirect_uri, self.provider.redirect_uris.split()
) )
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
if self.request: if self.request:
raise AuthorizeError( raise AuthorizeError(
self.redirect_uri, "request_not_supported", self.grant_type, self.state self.redirect_uri, "request_not_supported", self.grant_type, self.state

12
web/package-lock.json generated
View File

@ -61,12 +61,13 @@
"typescript": "^4.3.5", "typescript": "^4.3.5",
"webcomponent-qr-code": "^1.0.5", "webcomponent-qr-code": "^1.0.5",
"yaml": "^1.10.2" "yaml": "^1.10.2"
} },
"devDependencies": {}
}, },
"api": { "api": {
"name": "authentik-api", "name": "authentik-api",
"version": "0.0.1", "version": "1.0.0",
"dependencies": { "devDependencies": {
"typescript": "^3.6" "typescript": "^3.6"
} }
}, },
@ -74,6 +75,7 @@
"version": "3.9.9", "version": "3.9.9",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.9.tgz", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.9.tgz",
"integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==", "integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==",
"dev": true,
"bin": { "bin": {
"tsc": "bin/tsc", "tsc": "bin/tsc",
"tsserver": "bin/tsserver" "tsserver": "bin/tsserver"
@ -9305,6 +9307,7 @@
"@babel/types": "^7.11.5", "@babel/types": "^7.11.5",
"@lingui/babel-plugin-extract-messages": "^3.10.2", "@lingui/babel-plugin-extract-messages": "^3.10.2",
"@lingui/conf": "^3.10.2", "@lingui/conf": "^3.10.2",
"babel-plugin-macros": "^3.0.1",
"bcp-47": "^1.0.7", "bcp-47": "^1.0.7",
"chalk": "^4.1.0", "chalk": "^4.1.0",
"chokidar": "3.5.1", "chokidar": "3.5.1",
@ -10204,7 +10207,8 @@
"typescript": { "typescript": {
"version": "3.9.9", "version": "3.9.9",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.9.tgz", "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.9.tgz",
"integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==" "integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==",
"dev": true
} }
} }
}, },

4
web/src/locales/en.po
View File

@ -1832,6 +1832,10 @@ msgstr "If enabled, use the local connection. Required Docker socket/Kubernetes
msgid "If left empty, authentik will try to extract the launch URL based on the selected provider." msgid "If left empty, authentik will try to extract the launch URL based on the selected provider."
msgstr "If left empty, authentik will try to extract the launch URL based on the selected provider." msgstr "If left empty, authentik will try to extract the launch URL based on the selected provider."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
#: src/pages/tenants/TenantForm.ts #: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
msgstr "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." msgstr "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."

3518
web/src/locales/pseudo-LOCALE.po
View File

File diff suppressed because it is too large Load Diff

3
web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
View File

@ -117,6 +117,9 @@ export class OAuth2ProviderFormPage extends ModelForm<OAuth2Provider, number> {
<p class="pf-c-form__helper-text"> <p class="pf-c-form__helper-text">
${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`} ${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
</p> </p>
<p class="pf-c-form__helper-text">
${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`}
</p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
</div> </div>
</ak-form-group> </ak-form-group>