habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/oauth2: audit_ignore last_login change for generated service account (#11085)

Browse Source 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2024-08-27 14:23:55 +02:00
committed by GitHub
parent 0fcac0e165
commit cdbf448769
3 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
authentik/enterprise/apps.py
View File

@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
"""Actual enterprise check, cached""" """Actual enterprise check, cached"""
from authentik.enterprise.license import LicenseKey from authentik.enterprise.license import LicenseKey
return LicenseKey.cached_summary().status return LicenseKey.cached_summary().status.is_valid

27
authentik/providers/oauth2/views/token.py
View File

@ -433,20 +433,21 @@ class TokenParams:
app = Application.objects.filter(provider=self.provider).first() app = Application.objects.filter(provider=self.provider).first()
if not app or not app.provider: if not app or not app.provider:
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
self.user, _ = User.objects.update_or_create( with audit_ignore():
# trim username to ensure the entire username is max 150 chars self.user, _ = User.objects.update_or_create(
# (22 chars being the length of the "template") # trim username to ensure the entire username is max 150 chars
username=f"ak-{self.provider.name[:150-22]}-client_credentials", # (22 chars being the length of the "template")
defaults={ username=f"ak-{self.provider.name[:150-22]}-client_credentials",
"attributes": { defaults={
USER_ATTRIBUTE_GENERATED: True, "attributes": {
USER_ATTRIBUTE_GENERATED: True,
},
"last_login": timezone.now(),
"name": f"Autogenerated user from application {app.name} (client credentials)",
"path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
"type": UserTypes.SERVICE_ACCOUNT,
}, },
"last_login": timezone.now(), )
"name": f"Autogenerated user from application {app.name} (client credentials)",
"path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
"type": UserTypes.SERVICE_ACCOUNT,
},
)
self.__check_policy_access(app, request) self.__check_policy_access(app, request)
Event.new( Event.new(

3
website/docs/providers/oauth2/client_credentials.md
View File

@ -18,7 +18,8 @@ Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials& grant_type=client_credentials&
client_id=application_client_id& client_id=application_client_id&
username=my-service-account& username=my-service-account&
password=my-token password=my-token&
scope=profile
``` ```
This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik. This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.