habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/oauth2: add client_assertion_type jwt bearer support (#2618)

Browse Source
This commit is contained in:
Jens L
2022-03-31 00:30:55 +02:00
committed by GitHub
parent 996bd05ba6
commit bb8af2f19b
34 changed files with 681 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
website/docs/providers/oauth2/client_credentials.md Normal file
View File

@ -0,0 +1,53 @@
# Machine-to-machine authentication
Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
### Static authentication
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
An example request can look like this:
```
POST /application/o/token/ HTTP/1.1
Host: authentik.company
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=application_client_id&
username=my-service-account&
password=my-token
```
This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.
### JWT-authentication
Starting with authentik 2022.4, you can authenticate and get a token using an existing JWT.
(For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT)
To configure this, the certificate used to sign the input JWT must be created in authentik. The certificate is enough, a private key is not required. Afterwards, configure the certificate in the OAuth2 provider settings under *Verification certificates*.
With this configure, any JWT issued by the configured certificates can be used to authenticate:
```
POST /application/o/token/ HTTP/1.1
Host: authentik.company
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=$inputJWT&
client_id=application_client_id
```
Alternatively, you can set the `client_secret` parameter to the `$inputJWT`, for applications which can set the password from a file but not other parameters.
Input JWTs are checked to be signed by any of the selected *Verification certificates*, and their `exp` attribute must not be now or in the past.
To do additional checks, you can use *[Expression policies](../../policies/expression)*:
```python
return request.context["JWT"]["iss"] == "https://my.issuer"
```

18
website/docs/providers/oauth2.md → website/docs/providers/oauth2/index.md
View File

@ -4,7 +4,7 @@ title: OAuth2 Provider
This provider supports both generic OAuth2 as well as OpenID Connect
Scopes can be configured using Scope Mappings, a type of [Property Mappings](../property-mappings/#scope-mapping).
Scopes can be configured using Scope Mappings, a type of [Property Mappings](../../property-mappings/#scope-mapping).
| Endpoint | URL |
| -------------------- | -------------------------------------------------------------------- |
@ -42,18 +42,4 @@ Refresh tokens can be used as long-lived tokens to access user data, and further
### `client_credentials`:
Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.
An example request can look like this:
```
POST /application/o/token/ HTTP/1.1
Host: authentik.company
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&username=my-service-account&password=my-token&client_id=application_client_id
```
This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.
See [Machine-to-machine authentication](./client_credentials)

2
website/docs/releases/v0.10.md
View File

@ -73,4 +73,4 @@ This upgrade only applies if you are upgrading from a running 0.9 instance. auth
Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over.
Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../providers/oauth2.md).
Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../providers/oauth2).