From cdbf44876926091935abbaa6eee4b6c81e81924f Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Tue, 27 Aug 2024 14:23:55 +0200 Subject: [PATCH] providers/oauth2: audit_ignore last_login change for generated service account (#11085) Signed-off-by: Jens Langhammer --- authentik/enterprise/apps.py | 2 +- authentik/providers/oauth2/views/token.py | 27 ++++++++++--------- .../providers/oauth2/client_credentials.md | 3 ++- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/authentik/enterprise/apps.py b/authentik/enterprise/apps.py index e62f317a7c..31d6eba9a1 100644 --- a/authentik/enterprise/apps.py +++ b/authentik/enterprise/apps.py @@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig): """Actual enterprise check, cached""" from authentik.enterprise.license import LicenseKey - return LicenseKey.cached_summary().status + return LicenseKey.cached_summary().status.is_valid diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 70ba0afd15..c42225d0af 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -433,20 +433,21 @@ class TokenParams: app = Application.objects.filter(provider=self.provider).first() if not app or not app.provider: raise TokenError("invalid_grant") - self.user, _ = User.objects.update_or_create( - # trim username to ensure the entire username is max 150 chars - # (22 chars being the length of the "template") - username=f"ak-{self.provider.name[:150-22]}-client_credentials", - defaults={ - "attributes": { - USER_ATTRIBUTE_GENERATED: True, + with audit_ignore(): + self.user, _ = User.objects.update_or_create( + # trim username to ensure the entire username is max 150 chars + # (22 chars being the length of the "template") + username=f"ak-{self.provider.name[:150-22]}-client_credentials", + defaults={ + "attributes": { + USER_ATTRIBUTE_GENERATED: True, + }, + "last_login": timezone.now(), + "name": f"Autogenerated user from application {app.name} (client credentials)", + "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}", + "type": UserTypes.SERVICE_ACCOUNT, }, - "last_login": timezone.now(), - "name": f"Autogenerated user from application {app.name} (client credentials)", - "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}", - "type": UserTypes.SERVICE_ACCOUNT, - }, - ) + ) self.__check_policy_access(app, request) Event.new( diff --git a/website/docs/providers/oauth2/client_credentials.md b/website/docs/providers/oauth2/client_credentials.md index 95ca1c5695..1169ea38d1 100644 --- a/website/docs/providers/oauth2/client_credentials.md +++ b/website/docs/providers/oauth2/client_credentials.md @@ -18,7 +18,8 @@ Content-Type: application/x-www-form-urlencoded grant_type=client_credentials& client_id=application_client_id& username=my-service-account& -password=my-token +password=my-token& +scope=profile ``` This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.