habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: habsi:main
Branches Tags
habsi:main habsi:eap-but-actually habsi:next habsi:docusaurus-3.8 habsi:api/nested habsi:dependabot/npm_and_yarn/website/docusaurus-theme-openapi-docs-4.5.1 habsi:dependabot/npm_and_yarn/website/goauthentik-f1651fdd03 habsi:dependabot/npm_and_yarn/website/docusaurus-plugin-openapi-docs-4.5.1 habsi:version-2025.6 habsi:website/docs--add-notification-rule-expression-policies-subpage habsi:website/docs--fix-upgrade-advice habsi:sources/oauth--change-azure-ad-UI-to-entra-id habsi:celery-2-dramatiq habsi:dependabot/npm_and_yarn/website/docusaurus-1d15a11bad habsi:enterprise/apple-platform-sso habsi:docs-events habsi:version-2025.4 habsi:imports-formatter habsi:import-organization habsi:dependabot/npm_and_yarn/packages/docusaurus-config/goauthentik-870c30f3e8 habsi:website/integrations/add-ironclad habsi:website/docs--updarte-azure-ad-source-doc-to-entra-id habsi:providers/oauth2/conformance-automated-tests habsi:events/improved-error-events habsi:stages/user_login/unknown-device habsi:website/integrations--add-papra habsi:website/integrations--add-planka habsi:providers/saml/default-name-id-policy habsi:webdriver-typechecking habsi:revert-revert-flow-buffer habsi:dependabot/npm_and_yarn/packages/docusaurus-config/goauthentik-cd500f49dc habsi:providers/oauth2/more-tests habsi:web/add-command-palette habsi:files-in-db habsi:flows/buffer-ng habsi:website/docs--update-nginx-config habsi:policies/optimize-engine habsi:stages/prompt/dry-run habsi:better-version-bump habsi:website/docs--add-credentials-prompt-for-rac-doc habsi:lib/sync/direct-delete-no-wait habsi:rfc8414 habsi:endpoints habsi:website-docs-scaling habsi:dependabot/uv/django-5.2.1 habsi:openapi-generators-tidy habsi:channels-postgres habsi:consistent-imports habsi:workspace-lint-format habsi:version-2025.2 habsi:npm-workspaces-sfe habsi:navbar-revisions-v2 habsi:remove-session-migration-code habsi:workspace-lint-format-v3 habsi:esbuild-ts-types habsi:tests/e2e/refactor-better-ws-support habsi:core/fix-group-creation habsi:core/refactor habsi:manualdeps/boto3/v1.38.12 habsi:website/integrations--fix-indentation-paperless-ngx habsi:docusaurus-version-picker habsi:monorepo-docs-tidy-v2 habsi:docusaurus-config-1.0.6 habsi:server-context-cleanup habsi:openapi-generators-v1 habsi:patch-1 habsi:website/docs/stylize-2025-4-release habsi:build-script-labeling habsi:dependabot/npm_and_yarn/website/multi-bb7dbf9f58 habsi:dependabot/npm_and_yarn/website/react-dom-19.1.0 habsi:safari-follow-up-fixes habsi:safari-crash-theme-toggle habsi:admin-layout-fixes habsi:safari-locale-reflow-fix habsi:safari-admin-interface-crash habsi:fix-shared-entrypoints habsi:safari-crash-fix habsi:policies-engine-rework habsi:policies-no-forking habsi:template-format habsi:monorepo-v3 habsi:docs-test-pr habsi:static-config-v1 habsi:version-2024.12 habsi:sfe-package-v1 habsi:router-tidy-v1 habsi:linter-fixes habsi:typescript-project-compile habsi:fix/issue_12164 habsi:feature/source_ldap_lookup_groups_from_user habsi:tests/e2e/dont-rely-on-socket-ip habsi:flows/concurrent habsi:permissions-based-ui-rendering habsi:web/parts/common habsi:enterprise-audit habsi:flow-no-websocket habsi:deny-unauthenticated-ws habsi:web/legibility/dual-select-events habsi:enterprise/reporting habsi:admin/add-explicit-token-expiry-modal habsi:outposts/scim habsi:policies/preview-test2 habsi:web/design/make-application-help-optional habsi:root/move-root-dir habsi:enterprise/rac/e2e habsi:root/more-cleanup habsi:reduce-memory-usage-batch-delete habsi:blueprints-find-object habsi:ci/push-to-new-dockerhub habsi:blueprint-apply-pglock habsi:version-2024.10 habsi:website/integrations/hoarder habsi:core/make-group-name-unique-db habsi:docs-read-replicas habsi:version-2024.8 habsi:web/update-provider-forms-for-invalidation habsi:web/flow/table-driven-executor habsi:root/maint/upgrade-openapi-generator habsi:website/edit/links-to-schemas habsi:web/cleanup/20240516-simple-element-docs-1 habsi:docs-vmware-update habsi:expiring-model-dont-sync-delete habsi:web/bug/fix-wdio-and-lint habsi:version-2024.6 habsi:analytics habsi:docs-api habsi:web/sdk/embed habsi:stages/identification/captcha-embed habsi:version-2024.4 habsi:docs-certs-webhook habsi:web/packages/common-package habsi:web/testing/update-wdio-tests habsi:docs-scripts habsi:web/add-htmltagmaps-to-activate-lit-analyzer habsi:web/use-oauth habsi:user-directory habsi:outpost-force-refresh habsi:core/improve-app-launch-url habsi:version-2024.2 habsi:web/sidebar-with-live-content-3 habsi:5165-password-strength-indicator habsi:healthcheck-force-connection-reload habsi:core/soft-delete habsi:web/legibility/applications habsi:web/request/7864-application-list-view habsi:restricted-python habsi:sources/ldap/support-dn-uniq habsi:benchmarks habsi:providers/radius/logout habsi:core/b2c-improvements habsi:web/cleanup/analyzable-routes habsi:web/fix-css-shandydom habsi:add_mappings_to_azure_ad_documentation habsi:version-test habsi:20240219-monorepo-step-1-move-authentik habsi:smusali/event-batching habsi:version-2023.10 habsi:version-2023.8 habsi:root/remove-if-help habsi:version-2024.1 habsi:web/config-provider-2a-branded habsi:stages/authenticator_mobile_with_connector habsi:sources/ldap/optimize-sync habsi:sources/ldap/track-sources habsi:blog-ent habsi:version-2023.5 habsi:version-2023.6 habsi:hack-close habsi:tanberry-patch-1 habsi:version-2023.4 habsi:smusali/qr_code habsi:beta-upgrade-edits habsi:stages/email/fix-pending-user habsi:dev/devcontainers habsi:outposts/fix-docker-ssh-integration habsi:interfaces habsi:version-2023.3 habsi:version-2022.12 habsi:version-2023.1 habsi:version-2023.2 habsi:root/config-file-watch habsi:version-2022.10 habsi:version-2022.11 habsi:version-2022.9 habsi:version-2022.8 habsi:version-2022.7 habsi:version-2022.6 habsi:version-2022.5 habsi:version-2022.4 habsi:version-2022.3 habsi:version-2022.2 habsi:version-2022.1 habsi:version-2021.12 habsi:version-2021.10 habsi:version-2021.9 habsi:version-2021.8 habsi:version-2021.7 habsi:version-2021.6 habsi:version-2021.5 habsi:version-2021.4 habsi:version-2021.3 habsi:version-2021.2 habsi:version-2021.1 habsi:version-0.14 habsi:version-0.13
habsi:version/2025.6.3 habsi:version/2025.4.3 habsi:version/2025.6.2 habsi:version/2025.6.1 habsi:version/2025.4.2 habsi:version/2025.6.0 habsi:version/2025.6.0-rc1 habsi:version/2025.4.1 habsi:version/2025.4.0 habsi:version/2025.4.0-rc2 habsi:version/2025.4.0-rc1 habsi:version/2025.2.4 habsi:version/2024.12.5 habsi:version/2025.2.3 habsi:version/2024.12.4 habsi:version/2025.2.2 habsi:version/2025.2.1 habsi:version/2025.2.0 habsi:version/2025.2.0-rc3 habsi:version/2025.2.0-rc2 habsi:version/2025.2.0-rc1 habsi:version/2024.12.3 habsi:version/2024.12.2 habsi:version/2024.12.1 habsi:version/2024.12.0 habsi:version/2024.12.0-rc1 habsi:version/2024.10.5 habsi:version/2024.10.4 habsi:version/2024.8.6 habsi:version/2024.10.3 habsi:version/2024.8.5 habsi:version/2024.10.2 habsi:version/2024.10.1 habsi:version/2024.10.0 habsi:version/2024.8.4 habsi:version/2024.10.0-rc1 habsi:version/2024.8.3 habsi:version/2024.6.5 habsi:version/2024.8.2 habsi:version/2024.8.1 habsi:version/2024.8.0 habsi:version/2024.8.0-rc2 habsi:version/2024.8.0-rc1 habsi:version/2024.4.4 habsi:version/2024.6.4 habsi:version/2024.6.3 habsi:version/2024.6.2 habsi:version/2024.6.1 habsi:version/2024.6.0 habsi:version/2024.4.3 habsi:version/2024.2.4 habsi:version/2024.6.0-rc2 habsi:version/2024.6.0-rc1 habsi:version/2024.4.2 habsi:version/2024.4.1 habsi:version/2024.4.0 habsi:version/2024.4.0-rc1 habsi:version/2024.2.3 habsi:version/2024.2.2 habsi:version/2024.2.1 habsi:version/2024.2.0 habsi:version/2024.2.0-rc2 habsi:version/2024.2.0-rc1 habsi:version/2023.10.7 habsi:version/2023.8.7 habsi:version/2023.10.6 habsi:version/2023.8.6 habsi:version/2023.10.5 habsi:version/2023.8.5 habsi:version/2023.10.4 habsi:version/2023.10.3 habsi:version/2023.8.4 habsi:version/2023.10.2 habsi:version/2023.10.1 habsi:version/2023.10.0 habsi:version/2023.8.3 habsi:version/2023.8.2 habsi:version/2023.8.1 habsi:version/2023.8.0 habsi:version/2023.5.6 habsi:version/2023.6.2 habsi:version/2023.6.1 habsi:version/2023.6.0 habsi:version/2023.5.5 habsi:version/2023.4.3 habsi:version/2023.4.2 habsi:version/2023.5.4 habsi:version/2023.5.3 habsi:version/2023.5.2 habsi:version/2023.5.1 habsi:version/2023.5.0 habsi:version/2023.4.1 habsi:version/2023.4.0 habsi:version/2023.3.1 habsi:version/2023.3.0 habsi:version/2022.12.3 habsi:version/2023.1.3 habsi:version/2023.2.3 habsi:version/2023.2.2 habsi:version/2023.2.1 habsi:version/2023.2.0 habsi:version/2023.1.2 habsi:version/2023.1.1 habsi:version/2023.1.0 habsi:version/2022.12.2 habsi:version/2022.12.1 habsi:version/2022.12.0 habsi:version/2022.10.4 habsi:version/2022.11.4 habsi:version/2022.10.3 habsi:version/2022.11.3 habsi:version/2022.11.2 habsi:version/2022.10.2 habsi:version/2022.11.1 habsi:version/2022.11.0 habsi:version/2022.10.1 habsi:version/2022.10.0 habsi:version/2022.9.0 habsi:version/2022.8.2 habsi:version/2022.8.1 habsi:version/2022.7.3 habsi:version/2022.7.2 habsi:version/2022.7.1 habsi:version/2022.6.3 habsi:version/2022.6.2 habsi:version/2022.6.1 habsi:version/2022.5.3 habsi:version/2022.5.2 habsi:version/2022.5.1 habsi:version/2022.4.1 habsi:version/2022.3.3 habsi:version/2022.3.2 habsi:version/2022.3.1 habsi:version/2022.2.1 habsi:version/2022.1.5 habsi:version/2022.1.4 habsi:version/2022.1.3 habsi:version/2022.1.2 habsi:version/2022.1.1 habsi:version/2021.12.5 habsi:version/2021.12.4 habsi:version/2021.12.3 habsi:version/2021.12.2 habsi:version/2021.12.1 habsi:version/2021.12.1-rc5 habsi:version/2021.12.1-rc4 habsi:version/2021.12.1-rc3 habsi:version/2021.12.1-rc2 habsi:version/2021.12.1-rc1 habsi:version/2021.10.4 habsi:version/2021.10.3 habsi:version/2021.10.2 habsi:version/2021.10.1 habsi:version/2021.10.1-rc3 habsi:version/2021.10.1-rc2 habsi:version/2021.10.1-rc1 habsi:version/2021.9.8 habsi:version/2021.9.7 habsi:version/2021.9.6 habsi:version/2021.9.5 habsi:version/2021.9.4 habsi:version/2021.9.3 habsi:version/2021.9.2 habsi:version/2021.9.1 habsi:version/2021.9.1-rc3 habsi:version/2021.9.1-rc2 habsi:version/2021.9.1-rc1 habsi:version/2021.8.5 habsi:version/2021.8.4 habsi:version/2021.8.3 habsi:version/2021.8.2 habsi:version/2021.8.1 habsi:version/2021.8.1-rc2 habsi:version/2021.8.1-rc1 habsi:version/2021.7.3 habsi:version/2021.7.2 habsi:version/2021.7.1 habsi:version/2021.7.1-rc2 habsi:version/2021.7.1-rc1 habsi:version/2021.6.4 habsi:version/2021.6.3 habsi:version/2021.6.2 habsi:version/2021.6.1 habsi:version/2021.6.1-rc6 habsi:version/2021.6.1-rc5 habsi:version/2021.6.1-rc4 habsi:version/2021.6.1-rc3 habsi:version/2021.6.1-rc2 habsi:version/2021.6.1-rc1 habsi:version/2021.5.4 habsi:version/2021.5.3 habsi:version/2021.5.2 habsi:version/2021.5.1 habsi:version/2021.5.1-rc10 habsi:version/2021.5.1-rc9 habsi:version/2021.5.1-rc8 habsi:version/2021.4.6 habsi:version/2021.5.1-rc7 habsi:version/2021.5.1-rc6 habsi:version/2021.5.1-rc5 habsi:version/2021.5.1-rc4 habsi:version/2021.5.1-rc3 habsi:version/2021.5.1-rc2 habsi:version/2021.5.1-rc1 habsi:version/2021.4.5 habsi:version/2021.4.4 habsi:version/2021.4.3 habsi:version/2021.4.2 habsi:version/2021.4.1 habsi:version/2021.4.1-rc2 habsi:version/2021.4.1-rc1 habsi:version/2021.3.4 habsi:version/2021.3.3 habsi:version/2021.3.2 habsi:version/2021.3.1 habsi:version/2021.3.1-rc2 habsi:version/2021.3.1-rc1 habsi:version/2021.2.6-stable habsi:version/2021.2.5-stable habsi:version/2021.2.4-stable habsi:version/2021.2.3-stable habsi:version/2021.2.2-stable habsi:version/2021.2.1-stable habsi:version/2021.2.1-rc2 habsi:version/2021.2.1-rc1 habsi:version/2021.1.4-stable habsi:version/2021.1.3-stable habsi:version/2021.1.2-stable habsi:version/2021.1.1-stable habsi:version/2021.1.1-rc2 habsi:version/2021.1.1-rc1 habsi:version/0.14.2-stable habsi:version/0.14.1-stable habsi:version/0.14.0-stable habsi:version/0.14.0-rc2 habsi:version/0.14.0-rc1 habsi:version/0.13.5-stable habsi:version/0.13.4-stable habsi:version/0.13.3-stable habsi:version/0.13.2-stable habsi:version/0.13.1-stable habsi:version/0.13.0-stable habsi:version/0.13.0-rc4 habsi:version/0.13.0-rc3 habsi:version/0.13.0-rc2 habsi:version/0.13.0-rc1 habsi:version/0.12.11-stable habsi:version/0.12.10-stable habsi:version/0.12.9-stable habsi:version/0.12.8-stable habsi:version/0.12.7-stable habsi:version/0.12.6-stable habsi:version/0.12.5-stable habsi:version/0.12.4-stable habsi:version/0.12.3-stable habsi:version/0.12.2-stable habsi:version/0.12.1-stable habsi:version/0.12.0-stable habsi:version/0.11.0-stable habsi:version/0.10.9-stable habsi:version/0.10.8-stable habsi:version/0.10.7-stable habsi:version/0.10.6-stable habsi:version/0.10.5-stable habsi:version/0.10.4-stable habsi:version/0.10.3-stable habsi:version/0.10.2-stable habsi:version/0.10.1-stable habsi:version/0.10.0-stable habsi:version/0.10.0-rc6 habsi:version/0.10.0-rc5 habsi:version/0.10.0-rc4 habsi:version/0.10.0-rc3 habsi:version/0.10.0-rc2 habsi:version/0.10.0-rc1 habsi:version/0.9.0-stable habsi:version/0.9.0-rc2 habsi:version/0.9.0-rc1 habsi:version/0.9.0-pre7 habsi:version/0.9.0-pre6 habsi:version/0.9.0-pre5 habsi:version/0.9.0-pre4 habsi:version/0.9.0-pre3 habsi:version/0.9.0-pre2 habsi:version/0.9.0-pre1 habsi:version/0.8.15-beta habsi:version/0.8.14-beta habsi:version/0.8.12-beta habsi:version/0.8.11-beta habsi:version/0.8.10-beta habsi:version/0.8.9-beta habsi:version/0.8.8-beta habsi:version/0.8.7-beta habsi:version/0.8.6-beta habsi:version/0.8.5-beta habsi:version/0.8.4-beta habsi:version/0.8.3-beta habsi:version/0.8.2-beta habsi:version/0.8.1-beta habsi:version/0.8.0-beta habsi:version/0.7.17-beta habsi:version/0.7.16-beta habsi:version/0.7.15-beta habsi:version/0.7.14-beta habsi:version/0.7.13-beta habsi:version/0.7.12-beta habsi:version/0.7.11-beta habsi:version/0.7.10-beta habsi:version/0.7.9-beta habsi:version/0.7.8-beta habsi:version/0.7.7-beta habsi:version/0.7.6-beta habsi:version/0.7.5-beta habsi:version/0.7.4-beta habsi:version/0.7.3-beta habsi:version/0.7.2-beta habsi:version/0.7.1-beta habsi:version/0.7.0-beta habsi:version/0.6.11-beta habsi:version/0.6.10-beta habsi:version/0.6.9-beta habsi:version/0.6.8-beta habsi:version/0.6.7-beta habsi:version/0.6.6-beta habsi:version/0.6.5-beta habsi:version/0.6.4-beta habsi:version/0.6.3-beta habsi:version/0.6.2-beta habsi:version/0.6.1-beta habsi:version/0.6.0-beta habsi:version/0.5.0-beta habsi:version/0.4.2-beta habsi:version/0.4.1-beta habsi:version/0.4.0-beta habsi:version/0.3.0-beta habsi:version/0.2.8-beta habsi:version/0.2.7-beta habsi:version/0.2.6-beta habsi:version/0.2.5-beta habsi:version/0.2.4-beta habsi:version/0.2.3-beta habsi:version/0.2.2-beta habsi:version/0.2.1-beta habsi:version/0.2.0-beta habsi:version/0.1.38-beta habsi:version/0.1.37-beta habsi:version/0.1.36-beta habsi:version/0.1.35-beta habsi:version/0.1.34-beta habsi:version/0.1.33-beta habsi:version/0.1.32-beta habsi:version/0.1.31-beta habsi:version/0.1.30-beta habsi:version/0.1.29-beta habsi:version/0.1.28-beta habsi:version/0.1.27-beta habsi:version/0.1.26-beta habsi:version/0.1.25-beta habsi:version/0.1.24-beta habsi:version/0.1.23-beta habsi:version/0.1.22-beta habsi:version/0.1.21-beta habsi:version/0.1.20-beta habsi:version/0.1.19-beta habsi:version/0.1.18-beta habsi:version/0.1.17-beta habsi:version/0.1.16-beta habsi:version/0.1.15-beta habsi:version/0.1.14-beta habsi:version/0.1.13-beta habsi:version/0.1.12-beta habsi:version/0.1.11-beta habsi:version/0.1.10-beta habsi:version/0.1.9-beta habsi:version/0.1.8-beta habsi:version/0.1.7-beta habsi:version/0.1.6-beta habsi:version/0.1.5-beta habsi:version/0.1.4-beta habsi:version/0.1.3-beta habsi:version/0.1.2-beta habsi:version/0.1.1-beta habsi:version/0.1.0-beta habsi:version/0.0.13-alpha habsi:version/0.0.12-alpha habsi:version/0.0.11-alpha habsi:version/0.0.10-alpha habsi:version/0.0.9-alpha habsi:version/0.0.8-alpha habsi:version/0.0.7-alpha habsi:version/0.0.6-alpha habsi:version/0.0.5-alpha habsi:version/0.0.4-alpha habsi:version/0.0.3-alpha habsi:version/0.0.2-alpha
...
compare: habsi:version/2024.10.3
Branches Tags
habsi:main habsi:eap-but-actually habsi:next habsi:docusaurus-3.8 habsi:api/nested habsi:dependabot/npm_and_yarn/website/docusaurus-theme-openapi-docs-4.5.1 habsi:dependabot/npm_and_yarn/website/goauthentik-f1651fdd03 habsi:dependabot/npm_and_yarn/website/docusaurus-plugin-openapi-docs-4.5.1 habsi:version-2025.6 habsi:website/docs--add-notification-rule-expression-policies-subpage habsi:website/docs--fix-upgrade-advice habsi:sources/oauth--change-azure-ad-UI-to-entra-id habsi:celery-2-dramatiq habsi:dependabot/npm_and_yarn/website/docusaurus-1d15a11bad habsi:enterprise/apple-platform-sso habsi:docs-events habsi:version-2025.4 habsi:imports-formatter habsi:import-organization habsi:dependabot/npm_and_yarn/packages/docusaurus-config/goauthentik-870c30f3e8 habsi:website/integrations/add-ironclad habsi:website/docs--updarte-azure-ad-source-doc-to-entra-id habsi:providers/oauth2/conformance-automated-tests habsi:events/improved-error-events habsi:stages/user_login/unknown-device habsi:website/integrations--add-papra habsi:website/integrations--add-planka habsi:providers/saml/default-name-id-policy habsi:webdriver-typechecking habsi:revert-revert-flow-buffer habsi:dependabot/npm_and_yarn/packages/docusaurus-config/goauthentik-cd500f49dc habsi:providers/oauth2/more-tests habsi:web/add-command-palette habsi:files-in-db habsi:flows/buffer-ng habsi:website/docs--update-nginx-config habsi:policies/optimize-engine habsi:stages/prompt/dry-run habsi:better-version-bump habsi:website/docs--add-credentials-prompt-for-rac-doc habsi:lib/sync/direct-delete-no-wait habsi:rfc8414 habsi:endpoints habsi:website-docs-scaling habsi:dependabot/uv/django-5.2.1 habsi:openapi-generators-tidy habsi:channels-postgres habsi:consistent-imports habsi:workspace-lint-format habsi:version-2025.2 habsi:npm-workspaces-sfe habsi:navbar-revisions-v2 habsi:remove-session-migration-code habsi:workspace-lint-format-v3 habsi:esbuild-ts-types habsi:tests/e2e/refactor-better-ws-support habsi:core/fix-group-creation habsi:core/refactor habsi:manualdeps/boto3/v1.38.12 habsi:website/integrations--fix-indentation-paperless-ngx habsi:docusaurus-version-picker habsi:monorepo-docs-tidy-v2 habsi:docusaurus-config-1.0.6 habsi:server-context-cleanup habsi:openapi-generators-v1 habsi:patch-1 habsi:website/docs/stylize-2025-4-release habsi:build-script-labeling habsi:dependabot/npm_and_yarn/website/multi-bb7dbf9f58 habsi:dependabot/npm_and_yarn/website/react-dom-19.1.0 habsi:safari-follow-up-fixes habsi:safari-crash-theme-toggle habsi:admin-layout-fixes habsi:safari-locale-reflow-fix habsi:safari-admin-interface-crash habsi:fix-shared-entrypoints habsi:safari-crash-fix habsi:policies-engine-rework habsi:policies-no-forking habsi:template-format habsi:monorepo-v3 habsi:docs-test-pr habsi:static-config-v1 habsi:version-2024.12 habsi:sfe-package-v1 habsi:router-tidy-v1 habsi:linter-fixes habsi:typescript-project-compile habsi:fix/issue_12164 habsi:feature/source_ldap_lookup_groups_from_user habsi:tests/e2e/dont-rely-on-socket-ip habsi:flows/concurrent habsi:permissions-based-ui-rendering habsi:web/parts/common habsi:enterprise-audit habsi:flow-no-websocket habsi:deny-unauthenticated-ws habsi:web/legibility/dual-select-events habsi:enterprise/reporting habsi:admin/add-explicit-token-expiry-modal habsi:outposts/scim habsi:policies/preview-test2 habsi:web/design/make-application-help-optional habsi:root/move-root-dir habsi:enterprise/rac/e2e habsi:root/more-cleanup habsi:reduce-memory-usage-batch-delete habsi:blueprints-find-object habsi:ci/push-to-new-dockerhub habsi:blueprint-apply-pglock habsi:version-2024.10 habsi:website/integrations/hoarder habsi:core/make-group-name-unique-db habsi:docs-read-replicas habsi:version-2024.8 habsi:web/update-provider-forms-for-invalidation habsi:web/flow/table-driven-executor habsi:root/maint/upgrade-openapi-generator habsi:website/edit/links-to-schemas habsi:web/cleanup/20240516-simple-element-docs-1 habsi:docs-vmware-update habsi:expiring-model-dont-sync-delete habsi:web/bug/fix-wdio-and-lint habsi:version-2024.6 habsi:analytics habsi:docs-api habsi:web/sdk/embed habsi:stages/identification/captcha-embed habsi:version-2024.4 habsi:docs-certs-webhook habsi:web/packages/common-package habsi:web/testing/update-wdio-tests habsi:docs-scripts habsi:web/add-htmltagmaps-to-activate-lit-analyzer habsi:web/use-oauth habsi:user-directory habsi:outpost-force-refresh habsi:core/improve-app-launch-url habsi:version-2024.2 habsi:web/sidebar-with-live-content-3 habsi:5165-password-strength-indicator habsi:healthcheck-force-connection-reload habsi:core/soft-delete habsi:web/legibility/applications habsi:web/request/7864-application-list-view habsi:restricted-python habsi:sources/ldap/support-dn-uniq habsi:benchmarks habsi:providers/radius/logout habsi:core/b2c-improvements habsi:web/cleanup/analyzable-routes habsi:web/fix-css-shandydom habsi:add_mappings_to_azure_ad_documentation habsi:version-test habsi:20240219-monorepo-step-1-move-authentik habsi:smusali/event-batching habsi:version-2023.10 habsi:version-2023.8 habsi:root/remove-if-help habsi:version-2024.1 habsi:web/config-provider-2a-branded habsi:stages/authenticator_mobile_with_connector habsi:sources/ldap/optimize-sync habsi:sources/ldap/track-sources habsi:blog-ent habsi:version-2023.5 habsi:version-2023.6 habsi:hack-close habsi:tanberry-patch-1 habsi:version-2023.4 habsi:smusali/qr_code habsi:beta-upgrade-edits habsi:stages/email/fix-pending-user habsi:dev/devcontainers habsi:outposts/fix-docker-ssh-integration habsi:interfaces habsi:version-2023.3 habsi:version-2022.12 habsi:version-2023.1 habsi:version-2023.2 habsi:root/config-file-watch habsi:version-2022.10 habsi:version-2022.11 habsi:version-2022.9 habsi:version-2022.8 habsi:version-2022.7 habsi:version-2022.6 habsi:version-2022.5 habsi:version-2022.4 habsi:version-2022.3 habsi:version-2022.2 habsi:version-2022.1 habsi:version-2021.12 habsi:version-2021.10 habsi:version-2021.9 habsi:version-2021.8 habsi:version-2021.7 habsi:version-2021.6 habsi:version-2021.5 habsi:version-2021.4 habsi:version-2021.3 habsi:version-2021.2 habsi:version-2021.1 habsi:version-0.14 habsi:version-0.13
habsi:version/2025.6.3 habsi:version/2025.4.3 habsi:version/2025.6.2 habsi:version/2025.6.1 habsi:version/2025.4.2 habsi:version/2025.6.0 habsi:version/2025.6.0-rc1 habsi:version/2025.4.1 habsi:version/2025.4.0 habsi:version/2025.4.0-rc2 habsi:version/2025.4.0-rc1 habsi:version/2025.2.4 habsi:version/2024.12.5 habsi:version/2025.2.3 habsi:version/2024.12.4 habsi:version/2025.2.2 habsi:version/2025.2.1 habsi:version/2025.2.0 habsi:version/2025.2.0-rc3 habsi:version/2025.2.0-rc2 habsi:version/2025.2.0-rc1 habsi:version/2024.12.3 habsi:version/2024.12.2 habsi:version/2024.12.1 habsi:version/2024.12.0 habsi:version/2024.12.0-rc1 habsi:version/2024.10.5 habsi:version/2024.10.4 habsi:version/2024.8.6 habsi:version/2024.10.3 habsi:version/2024.8.5 habsi:version/2024.10.2 habsi:version/2024.10.1 habsi:version/2024.10.0 habsi:version/2024.8.4 habsi:version/2024.10.0-rc1 habsi:version/2024.8.3 habsi:version/2024.6.5 habsi:version/2024.8.2 habsi:version/2024.8.1 habsi:version/2024.8.0 habsi:version/2024.8.0-rc2 habsi:version/2024.8.0-rc1 habsi:version/2024.4.4 habsi:version/2024.6.4 habsi:version/2024.6.3 habsi:version/2024.6.2 habsi:version/2024.6.1 habsi:version/2024.6.0 habsi:version/2024.4.3 habsi:version/2024.2.4 habsi:version/2024.6.0-rc2 habsi:version/2024.6.0-rc1 habsi:version/2024.4.2 habsi:version/2024.4.1 habsi:version/2024.4.0 habsi:version/2024.4.0-rc1 habsi:version/2024.2.3 habsi:version/2024.2.2 habsi:version/2024.2.1 habsi:version/2024.2.0 habsi:version/2024.2.0-rc2 habsi:version/2024.2.0-rc1 habsi:version/2023.10.7 habsi:version/2023.8.7 habsi:version/2023.10.6 habsi:version/2023.8.6 habsi:version/2023.10.5 habsi:version/2023.8.5 habsi:version/2023.10.4 habsi:version/2023.10.3 habsi:version/2023.8.4 habsi:version/2023.10.2 habsi:version/2023.10.1 habsi:version/2023.10.0 habsi:version/2023.8.3 habsi:version/2023.8.2 habsi:version/2023.8.1 habsi:version/2023.8.0 habsi:version/2023.5.6 habsi:version/2023.6.2 habsi:version/2023.6.1 habsi:version/2023.6.0 habsi:version/2023.5.5 habsi:version/2023.4.3 habsi:version/2023.4.2 habsi:version/2023.5.4 habsi:version/2023.5.3 habsi:version/2023.5.2 habsi:version/2023.5.1 habsi:version/2023.5.0 habsi:version/2023.4.1 habsi:version/2023.4.0 habsi:version/2023.3.1 habsi:version/2023.3.0 habsi:version/2022.12.3 habsi:version/2023.1.3 habsi:version/2023.2.3 habsi:version/2023.2.2 habsi:version/2023.2.1 habsi:version/2023.2.0 habsi:version/2023.1.2 habsi:version/2023.1.1 habsi:version/2023.1.0 habsi:version/2022.12.2 habsi:version/2022.12.1 habsi:version/2022.12.0 habsi:version/2022.10.4 habsi:version/2022.11.4 habsi:version/2022.10.3 habsi:version/2022.11.3 habsi:version/2022.11.2 habsi:version/2022.10.2 habsi:version/2022.11.1 habsi:version/2022.11.0 habsi:version/2022.10.1 habsi:version/2022.10.0 habsi:version/2022.9.0 habsi:version/2022.8.2 habsi:version/2022.8.1 habsi:version/2022.7.3 habsi:version/2022.7.2 habsi:version/2022.7.1 habsi:version/2022.6.3 habsi:version/2022.6.2 habsi:version/2022.6.1 habsi:version/2022.5.3 habsi:version/2022.5.2 habsi:version/2022.5.1 habsi:version/2022.4.1 habsi:version/2022.3.3 habsi:version/2022.3.2 habsi:version/2022.3.1 habsi:version/2022.2.1 habsi:version/2022.1.5 habsi:version/2022.1.4 habsi:version/2022.1.3 habsi:version/2022.1.2 habsi:version/2022.1.1 habsi:version/2021.12.5 habsi:version/2021.12.4 habsi:version/2021.12.3 habsi:version/2021.12.2 habsi:version/2021.12.1 habsi:version/2021.12.1-rc5 habsi:version/2021.12.1-rc4 habsi:version/2021.12.1-rc3 habsi:version/2021.12.1-rc2 habsi:version/2021.12.1-rc1 habsi:version/2021.10.4 habsi:version/2021.10.3 habsi:version/2021.10.2 habsi:version/2021.10.1 habsi:version/2021.10.1-rc3 habsi:version/2021.10.1-rc2 habsi:version/2021.10.1-rc1 habsi:version/2021.9.8 habsi:version/2021.9.7 habsi:version/2021.9.6 habsi:version/2021.9.5 habsi:version/2021.9.4 habsi:version/2021.9.3 habsi:version/2021.9.2 habsi:version/2021.9.1 habsi:version/2021.9.1-rc3 habsi:version/2021.9.1-rc2 habsi:version/2021.9.1-rc1 habsi:version/2021.8.5 habsi:version/2021.8.4 habsi:version/2021.8.3 habsi:version/2021.8.2 habsi:version/2021.8.1 habsi:version/2021.8.1-rc2 habsi:version/2021.8.1-rc1 habsi:version/2021.7.3 habsi:version/2021.7.2 habsi:version/2021.7.1 habsi:version/2021.7.1-rc2 habsi:version/2021.7.1-rc1 habsi:version/2021.6.4 habsi:version/2021.6.3 habsi:version/2021.6.2 habsi:version/2021.6.1 habsi:version/2021.6.1-rc6 habsi:version/2021.6.1-rc5 habsi:version/2021.6.1-rc4 habsi:version/2021.6.1-rc3 habsi:version/2021.6.1-rc2 habsi:version/2021.6.1-rc1 habsi:version/2021.5.4 habsi:version/2021.5.3 habsi:version/2021.5.2 habsi:version/2021.5.1 habsi:version/2021.5.1-rc10 habsi:version/2021.5.1-rc9 habsi:version/2021.5.1-rc8 habsi:version/2021.4.6 habsi:version/2021.5.1-rc7 habsi:version/2021.5.1-rc6 habsi:version/2021.5.1-rc5 habsi:version/2021.5.1-rc4 habsi:version/2021.5.1-rc3 habsi:version/2021.5.1-rc2 habsi:version/2021.5.1-rc1 habsi:version/2021.4.5 habsi:version/2021.4.4 habsi:version/2021.4.3 habsi:version/2021.4.2 habsi:version/2021.4.1 habsi:version/2021.4.1-rc2 habsi:version/2021.4.1-rc1 habsi:version/2021.3.4 habsi:version/2021.3.3 habsi:version/2021.3.2 habsi:version/2021.3.1 habsi:version/2021.3.1-rc2 habsi:version/2021.3.1-rc1 habsi:version/2021.2.6-stable habsi:version/2021.2.5-stable habsi:version/2021.2.4-stable habsi:version/2021.2.3-stable habsi:version/2021.2.2-stable habsi:version/2021.2.1-stable habsi:version/2021.2.1-rc2 habsi:version/2021.2.1-rc1 habsi:version/2021.1.4-stable habsi:version/2021.1.3-stable habsi:version/2021.1.2-stable habsi:version/2021.1.1-stable habsi:version/2021.1.1-rc2 habsi:version/2021.1.1-rc1 habsi:version/0.14.2-stable habsi:version/0.14.1-stable habsi:version/0.14.0-stable habsi:version/0.14.0-rc2 habsi:version/0.14.0-rc1 habsi:version/0.13.5-stable habsi:version/0.13.4-stable habsi:version/0.13.3-stable habsi:version/0.13.2-stable habsi:version/0.13.1-stable habsi:version/0.13.0-stable habsi:version/0.13.0-rc4 habsi:version/0.13.0-rc3 habsi:version/0.13.0-rc2 habsi:version/0.13.0-rc1 habsi:version/0.12.11-stable habsi:version/0.12.10-stable habsi:version/0.12.9-stable habsi:version/0.12.8-stable habsi:version/0.12.7-stable habsi:version/0.12.6-stable habsi:version/0.12.5-stable habsi:version/0.12.4-stable habsi:version/0.12.3-stable habsi:version/0.12.2-stable habsi:version/0.12.1-stable habsi:version/0.12.0-stable habsi:version/0.11.0-stable habsi:version/0.10.9-stable habsi:version/0.10.8-stable habsi:version/0.10.7-stable habsi:version/0.10.6-stable habsi:version/0.10.5-stable habsi:version/0.10.4-stable habsi:version/0.10.3-stable habsi:version/0.10.2-stable habsi:version/0.10.1-stable habsi:version/0.10.0-stable habsi:version/0.10.0-rc6 habsi:version/0.10.0-rc5 habsi:version/0.10.0-rc4 habsi:version/0.10.0-rc3 habsi:version/0.10.0-rc2 habsi:version/0.10.0-rc1 habsi:version/0.9.0-stable habsi:version/0.9.0-rc2 habsi:version/0.9.0-rc1 habsi:version/0.9.0-pre7 habsi:version/0.9.0-pre6 habsi:version/0.9.0-pre5 habsi:version/0.9.0-pre4 habsi:version/0.9.0-pre3 habsi:version/0.9.0-pre2 habsi:version/0.9.0-pre1 habsi:version/0.8.15-beta habsi:version/0.8.14-beta habsi:version/0.8.12-beta habsi:version/0.8.11-beta habsi:version/0.8.10-beta habsi:version/0.8.9-beta habsi:version/0.8.8-beta habsi:version/0.8.7-beta habsi:version/0.8.6-beta habsi:version/0.8.5-beta habsi:version/0.8.4-beta habsi:version/0.8.3-beta habsi:version/0.8.2-beta habsi:version/0.8.1-beta habsi:version/0.8.0-beta habsi:version/0.7.17-beta habsi:version/0.7.16-beta habsi:version/0.7.15-beta habsi:version/0.7.14-beta habsi:version/0.7.13-beta habsi:version/0.7.12-beta habsi:version/0.7.11-beta habsi:version/0.7.10-beta habsi:version/0.7.9-beta habsi:version/0.7.8-beta habsi:version/0.7.7-beta habsi:version/0.7.6-beta habsi:version/0.7.5-beta habsi:version/0.7.4-beta habsi:version/0.7.3-beta habsi:version/0.7.2-beta habsi:version/0.7.1-beta habsi:version/0.7.0-beta habsi:version/0.6.11-beta habsi:version/0.6.10-beta habsi:version/0.6.9-beta habsi:version/0.6.8-beta habsi:version/0.6.7-beta habsi:version/0.6.6-beta habsi:version/0.6.5-beta habsi:version/0.6.4-beta habsi:version/0.6.3-beta habsi:version/0.6.2-beta habsi:version/0.6.1-beta habsi:version/0.6.0-beta habsi:version/0.5.0-beta habsi:version/0.4.2-beta habsi:version/0.4.1-beta habsi:version/0.4.0-beta habsi:version/0.3.0-beta habsi:version/0.2.8-beta habsi:version/0.2.7-beta habsi:version/0.2.6-beta habsi:version/0.2.5-beta habsi:version/0.2.4-beta habsi:version/0.2.3-beta habsi:version/0.2.2-beta habsi:version/0.2.1-beta habsi:version/0.2.0-beta habsi:version/0.1.38-beta habsi:version/0.1.37-beta habsi:version/0.1.36-beta habsi:version/0.1.35-beta habsi:version/0.1.34-beta habsi:version/0.1.33-beta habsi:version/0.1.32-beta habsi:version/0.1.31-beta habsi:version/0.1.30-beta habsi:version/0.1.29-beta habsi:version/0.1.28-beta habsi:version/0.1.27-beta habsi:version/0.1.26-beta habsi:version/0.1.25-beta habsi:version/0.1.24-beta habsi:version/0.1.23-beta habsi:version/0.1.22-beta habsi:version/0.1.21-beta habsi:version/0.1.20-beta habsi:version/0.1.19-beta habsi:version/0.1.18-beta habsi:version/0.1.17-beta habsi:version/0.1.16-beta habsi:version/0.1.15-beta habsi:version/0.1.14-beta habsi:version/0.1.13-beta habsi:version/0.1.12-beta habsi:version/0.1.11-beta habsi:version/0.1.10-beta habsi:version/0.1.9-beta habsi:version/0.1.8-beta habsi:version/0.1.7-beta habsi:version/0.1.6-beta habsi:version/0.1.5-beta habsi:version/0.1.4-beta habsi:version/0.1.3-beta habsi:version/0.1.2-beta habsi:version/0.1.1-beta habsi:version/0.1.0-beta habsi:version/0.0.13-alpha habsi:version/0.0.12-alpha habsi:version/0.0.11-alpha habsi:version/0.0.10-alpha habsi:version/0.0.9-alpha habsi:version/0.0.8-alpha habsi:version/0.0.7-alpha habsi:version/0.0.6-alpha habsi:version/0.0.5-alpha habsi:version/0.0.4-alpha habsi:version/0.0.3-alpha habsi:version/0.0.2-alpha

48 Commits
main ... version/20

Author SHA1 Message Date
Jens Langhammer
a9776a83d3 release: 2024.10.3 2024-11-21 15:17:46 +01:00
Ken Sternberg
b9faae83b4 web/admin: better footer links (#12004) 
* web: Add InvalidationFlow to Radius Provider dialogues

## What

- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
  - Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
    to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`

## Note

Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.

* First things first: save the blueprint that initializes the test runner.

* Committing to having the PKs be a string, and streamlining an event handler.  Type solidity needed for the footer control.

* web/admin/better-footer-links

# What

- A data control that takes two string fields and returns the JSON object for a FooterLink
- A data control that takes a control like the one above and assists the user in entering a
  collection of such objects.

# Why

We're trying to move away from CodeMirror for the simple things, like tables of what is essentially
data entry. Jens proposed this ArrayInput thing, and I've simplified it so you define what "a row"
is as a small, lightweight custom Component that returns and validates the datatype for that row,
and ArrayInput creates a table of rows, and that's that.

We're still working out the details, but the demo is to replace the "Name & URL" table in
AdminSettingsForm with this, since it was silly to ask the customer to hand-write JSON or YAML,
getting the keys right every time, for an `Array<Record<{ name: string, href: string }>>`. And some
client-side validation can't hurt.

Storybook included.  Tests to come.

* Not ready for prime time.

* One lint.  Other lints are still in progress.

* web: lots of 'as unknown as Foo'

I know this is considered bad practice, but we use Lit and Lit.spread
to send initialization arguments to functions that create DOM
objects, and Lit's prefix convention of '.' for object, '?' for
boolean, and '@' for event handler doesn't map at all to the Interface
declarations of Typescript.  So we have to cast these types when
sending them via functions to constructors.

* web/admin/better-footer-links

# What

- Remove the "JSON or YAML" language from the AdminSettings page for describing FooterLinks inputs.
- Add unit tests for ArrayInput and AdminSettingsFooterLinks.
- Provide a property for accessing a component's value

# Why

Providing a property by which the JSONified version of the value can be accessed enhances the
ability of tests to independently check that the value is in a state we desire, since properties can
easily be accessed across the wire protocol used by browser-based testing environments.

* Ensure the UI is built from _current_ before running tests.
 2024-11-21 14:53:32 +01:00
authentik-automation[bot]
afc2998697 web: bump API Client version (#12118) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	web/package-lock.json
#	web/package.json
 2024-11-21 14:53:22 +01:00
Jens L
fabacc56c4 security: fix CVE 2024 52289 (#12113) 
* initial migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix loading

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start dynamic ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* initial ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add serialize

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add error message handling

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix/add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prepare docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate to new input

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	authentik/core/tests/test_transactional_applications_api.py
 2024-11-21 14:48:09 +01:00
Jens L.
11b013d3b8 security: fix CVE 2024 52307 (#12115) 
* security: fix CVE-2024-52307

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-11-21 14:28:03 +01:00
gcp-cherry-pick-bot[bot]
e10c47d8b8 security: fix CVE 2024 52287 (cherry-pick #12114) (#12117) 
security: fix CVE 2024 52287 (#12114)

* security: CVE-2024-52287



* add tests



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-21 14:24:31 +01:00
gcp-cherry-pick-bot[bot]
d2b194f6b7 website/docs: add CSP to hardening (cherry-pick #11970) (#12116) 
website/docs: add CSP to hardening (#11970)

* add CSP to hardening

* re-word docs




* fix typo

* use the correct term "location" instead of "origin" in CSP docs

* reword docs

* add comments to permissive CSP directives

* add warning about overwriting existing CSP headers

---------

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
 2024-11-21 14:21:11 +01:00
gcp-cherry-pick-bot[bot]
780a59c908 internal: add CSP header to files in /media (cherry-pick #12092) (#12108) 
internal: add CSP header to files in `/media` (#12092)

add CSP header to files in `/media`

This fixes a security issue of stored cross-site scripting via embedding
JavaScript in SVG files by a malicious user with `can_save_media`
capability.

This can be exploited if:
- the uploaded file is served from the same origin as authentik, and
- the user opens the uploaded file directly in their browser

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-21 09:58:42 +01:00
gcp-cherry-pick-bot[bot]
f8015fccd8 website/docs: group CVEs by year (cherry-pick #12099) (#12100) 
website/docs: group CVEs by year (#12099)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-20 23:05:37 +01:00
gcp-cherry-pick-bot[bot]
05f4e738a1 root: check remote IP for proxy protocol same as HTTP/etc (cherry-pick #12094) (#12097) 
root: check remote IP for proxy protocol same as HTTP/etc (#12094)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-20 21:49:53 +01:00
gcp-cherry-pick-bot[bot]
f535a23c03 root: fix activation of locale not being scoped (cherry-pick #12091) (#12096) 
root: fix activation of locale not being scoped (#12091)

closes #12088

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-20 21:33:08 +01:00
gcp-cherry-pick-bot[bot]
91905530c7 providers/scim: accept string and int for SCIM IDs (cherry-pick #12093) (#12095) 
providers/scim: accept string and int for SCIM IDs (#12093)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-20 18:36:50 +01:00
gcp-cherry-pick-bot[bot]
40a970e321 core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (cherry-pick #12080) (#12081) 
core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-19 18:33:43 +01:00
gcp-cherry-pick-bot[bot]
b51d8d0ba3 web/flows: fix invisible captcha call (cherry-pick #12048) (#12049) 
web/flows: fix invisible captcha call (#12048)

* fix invisible captcha call

* fix invisible captcha DOM removal

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-11-15 18:50:57 +01:00
gcp-cherry-pick-bot[bot]
7e8891338f rbac: fix incorrect object_description for object-level permissions (cherry-pick #12029) (#12043) 
rbac: fix incorrect object_description for object-level permissions (#12029)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-15 14:22:22 +01:00
gcp-cherry-pick-bot[bot]
3ae0001bb5 providers/ldap: fix global search_full_directory permission not being sufficient (cherry-pick #12028) (#12030) 
providers/ldap: fix global search_full_directory permission not being sufficient (#12028)

* providers/ldap: fix global search_full_directory permission not being sufficient



* use full name of permission



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-15 13:52:39 +01:00
Jens Langhammer
66a4970014 release: 2024.10.2 2024-11-14 17:05:40 +01:00
gcp-cherry-pick-bot[bot]
7ab9300761 website/docs: 2024.10.2 release notes (cherry-pick #12025) (#12026) 
website/docs: 2024.10.2 release notes (#12025)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-14 17:00:32 +01:00
gcp-cherry-pick-bot[bot]
a2eccd5022 core: use versioned_script for path only (cherry-pick #12003) (#12023) 
core: use versioned_script for path only (#12003)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-14 14:03:03 +01:00
gcp-cherry-pick-bot[bot]
31aeaa247f providers/oauth2: fix manual device code entry (cherry-pick #12017) (#12019) 
providers/oauth2: fix manual device code entry (#12017)

* providers/oauth2: fix manual device code entry



* make code input a char field to prevent leading 0s from being cut off



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-13 21:59:10 +01:00
gcp-cherry-pick-bot[bot]
f49008bbb6 crypto: validate that generated certificate's name is unique (cherry-pick #12015) (#12016) 
crypto: validate that generated certificate's name is unique (#12015)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-13 17:05:59 +01:00
gcp-cherry-pick-bot[bot]
feb13c8ee5 providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (cherry-pick #11968) (#12005) 
providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968)

correctly use host_browser's hostname as host header for token requests to ensure Issuer is identical

Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-13 00:59:10 +01:00
authentik-automation[bot]
d5ef831718 web: bump API Client version (#11992) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	web/package-lock.json
#	web/package.json
 2024-11-11 14:30:24 +01:00
gcp-cherry-pick-bot[bot]
64676819ec blueprints: add default Password policy (cherry-pick #11793) (#11993) 
blueprints: add default Password policy (#11793)

* add password policy to default password change flow

This change complies with the minimal compositional requirements by
NIST SP 800-63 Digital Identity Guidelines. See
https://pages.nist.gov/800-63-4/sp800-63b.html#password

More work is needed to comply with other parts of the Guidelines,
specifically

> If the chosen password is found on the blocklist, the CSP or verifier
> [...] SHALL provide the reason for rejection.

and

> Verifiers SHALL offer guidance to the subscriber to assist the user in
> choosing a strong password. This is particularly important following
> the rejection of a password on the blocklist as it discourages trivial
> modification of listed weak passwords.

* add docs for default Password policy

* remove HIBP from default Password policy

* add zxcvbn to default Password policy

* add fallback password error message to password policy, fix validation policy



* reword docs




* add HIBP caveat




* separate policy into separate blueprint



* use password policy for oobe flow



* kiss



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
 2024-11-11 13:54:44 +01:00
gcp-cherry-pick-bot[bot]
7ed268fef4 stages/captcha: Run interactive captcha in Frame (cherry-pick #11857) (#11991) 
stages/captcha: Run interactive captcha in Frame (#11857)

* initial turnstile frame



* add interactive flag



* add interactive support for all



* fix missing migration



* don't hide in identification stage if interactive



* fixup



* require less hacky css



* update docs



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-11 13:31:01 +01:00
gcp-cherry-pick-bot[bot]
f6526d1be9 stages/password: use recovery flow from brand (cherry-pick #11953) (#11969) 
stages/password: use recovery flow from brand (#11953)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-08 16:56:16 +01:00
gcp-cherry-pick-bot[bot]
12f8b4566b website/docs: fix slug matching redirect URI causing broken refresh (cherry-pick #11950) (#11954) 
website/docs: fix slug matching redirect URI causing broken refresh (#11950)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-07 19:26:49 +01:00
Simonyi Gergő
665de8ef22 release: 2024.10.1 2024-11-05 18:06:32 +01:00
gcp-cherry-pick-bot[bot]
9eaa723bf8 website/docs: 2024.10.1 Release Notes (cherry-pick #11926) (#11928) 
website/docs: `2024.10.1` Release Notes (#11926)

* fix API Changes in `2024.10` changelog

* add `2024.10.1` API Changes to changelog

* add changes in `2024.10.1` to changelog

* change `details` to `h3` in changelog

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-11-05 18:05:00 +01:00
gcp-cherry-pick-bot[bot]
b2ca9c8cbc website: remove RC disclaimer for version 2024.10 (cherry-pick #11871) (#11920) 
website: remove RC disclaimer for version 2024.10 (#11871)

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-11-05 12:13:11 +01:00
gcp-cherry-pick-bot[bot]
7927392100 website/docs: add info about invalidation flow, default flows in general (cherry-pick #11800) (#11921) 
website/docs: add info about invalidation flow, default flows in general (#11800)

* restructure

* tweak

* fix header

* added more definitions

* jens excellent idea

* restructure the Layouts content

* tweaks

* links fix

* links still

* fighting links and cache

* argh links

* ditto

* remove link

* anothe link

* Jens' edit

* listed default flows set by brand

* add links back

* tweaks

* used import for list

* tweak

* rewrite some stuff



* format



* mangled rebase, fixed

* bump

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2024-11-05 12:12:59 +01:00
gcp-cherry-pick-bot[bot]
d8d07e32cb website: fix docs redirect (cherry-pick #11873) (#11922) 
website: fix docs redirect (#11873)

fix docs redirect

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-11-05 12:12:46 +01:00
gcp-cherry-pick-bot[bot]
f7c5d329eb website/docs: fix release notes to say Federation (cherry-pick #11889) (#11923) 
website/docs: fix release notes to say Federation (#11889)

* fix Federation

* typo

* added back should

* slooooow down

---------

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
 2024-11-05 12:12:27 +01:00
gcp-cherry-pick-bot[bot]
92dec32547 enterprise/rac: fix API Schema for invalidation_flow (cherry-pick #11907) (#11908) 
enterprise/rac: fix API Schema for invalidation_flow (#11907)

* enterprise/rac: fix API Schema for invalidation_flow



* fix tests



* add tests



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-11-04 20:42:41 +01:00
gcp-cherry-pick-bot[bot]
510feccd31 core: add None check to a device's extra_description (cherry-pick #11904) (#11906) 
core: add `None` check to a device's `extra_description` (#11904)

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-11-04 18:12:34 +01:00
Jens L
364a9a1f02 web: fix missing status code on failed build (#11903) 
* fix missing status code on failed build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	web/xliff/tr.xlf
 2024-11-04 18:06:22 +01:00
gcp-cherry-pick-bot[bot]
40cbb7567b providers/oauth2: fix size limited index for tokens (cherry-pick #11879) (#11905) 
providers/oauth2: fix size limited index for tokens (#11879)

* providers/oauth2: fix size limited index for tokens

I preserved the migrations as comments so the index IDs and migration
IDs remain searchable without accessing git history.

* rename migration file to more descriptive

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-11-04 18:05:55 +01:00
gcp-cherry-pick-bot[bot]
8ad0f63994 website: update supported versions (cherry-pick #11841) (#11872) 
website: update supported versions (#11841)

update supported versions

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2024-10-31 12:59:54 +01:00
Simonyi Gergő
6ce33ab912 root: bumpversion 2024.10 (#11865) 
release: 2024.10.0
 2024-10-30 22:45:48 +01:00
gcp-cherry-pick-bot[bot]
d96b577abd web/admin: fix code-based MFA toggle not working in wizard (cherry-pick #11854) (#11855) 
web/admin: fix code-based MFA toggle not working in wizard (#11854)

closes #11834

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-10-29 20:19:54 +01:00
gcp-cherry-pick-bot[bot]
8c547589f6 sources/kerberos: add kiprop to ignored system principals (cherry-pick #11852) (#11853) 
sources/kerberos: add kiprop to ignored system principals (#11852)

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2024-10-29 17:31:32 +01:00
gcp-cherry-pick-bot[bot]
3775e5b84f website: 2024.10 Release Notes (cherry-pick #11839) (#11840) 
website: 2024.10 Release Notes (#11839)

* generate diffs and changelog

* add 2024.10 release notes

* reorder release note highlights

* lint website

* reorder release note new features

* reword Kerberos




* extend JWE description




---------

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-10-28 17:27:59 +01:00
gcp-cherry-pick-bot[bot]
fa30339f65 website/docs: remove � (cherry-pick #11823) (#11835) 
website/docs: remove � (#11823)

remove 

Signed-off-by: Tobias <5702338+T0biii@users.noreply.github.com>
Co-authored-by: Tobias <5702338+T0biii@users.noreply.github.com>
 2024-10-28 13:21:02 +01:00
gcp-cherry-pick-bot[bot]
e825eda106 website/docs: Update social-logins github (cherry-pick #11822) (#11836) 
website/docs: Update social-logins github (#11822)

Update index.md

Signed-off-by: Tobias <5702338+T0biii@users.noreply.github.com>
Co-authored-by: Tobias <5702338+T0biii@users.noreply.github.com>
 2024-10-28 13:20:38 +01:00
gcp-cherry-pick-bot[bot]
246cae3dfa lifecycle: fix kdc5-config missing (cherry-pick #11826) (#11829) 
lifecycle: fix kdc5-config missing (#11826)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-10-28 01:15:50 +01:00
gcp-cherry-pick-bot[bot]
6cfd2bd1af website/docs: update preview status of different features (cherry-pick #11817) (#11818) 
website/docs: update preview status of different features (#11817)

* remove preview from RAC



* add preview page instead of info box



* remove preview from rbac



* add preview to gdtc



* add preview to kerberos source



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-10-25 21:42:45 +02:00
gcp-cherry-pick-bot[bot]
f0e4f93fe6 lifecycle: fix missing krb5 deps for full testing in image (cherry-pick #11815) (#11816) 
lifecycle: fix missing krb5 deps for full testing in image (#11815)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-10-25 18:46:55 +02:00
Simonyi Gergő
434aa57ba7 release: 2024.10.0-rc1 2024-10-25 17:26:39 +02:00
164 changed files with 5950 additions and 762 deletions
Expand all files Collapse all files

2
.bumpversion.cfg
View File

@ -1,5 +1,5 @@
[bumpversion] [bumpversion]
current_version = 2024.8.3 current_version = 2024.10.3
tag = True tag = True
commit = True commit = True
parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))? parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

8
SECURITY.md
View File

@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
(.x being the latest patch release for each version) (.x being the latest patch release for each version)
| Version | Supported | | Version | Supported |
| -------- | --------- | | --------- | --------- |
| 2024.6.x | ✅ | | 2024.8.x | ✅ |
| 2024.8.x | ✅ | | 2024.10.x | ✅ |
## Reporting a Vulnerability ## Reporting a Vulnerability

2
authentik/__init__.py
View File

@ -2,7 +2,7 @@
from os import environ from os import environ
__version__ = "2024.8.3" __version__ = "2024.10.3"
ENV_GIT_HASH_KEY = "GIT_BUILD_HASH" ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

2
authentik/api/templates/api/browser.html
View File

@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
{% endblock %} {% endblock %}
{% block head %} {% block head %}
{% versioned_script "dist/standalone/api-browser/index-%v.js" %} <script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)"> <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)"> <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
{% endblock %} {% endblock %}

3
authentik/blueprints/tests/test_packaged.py
View File

@ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable:
base = Path("blueprints/") base = Path("blueprints/")
rel_path = Path(file_name).relative_to(base) rel_path = Path(file_name).relative_to(base)
importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve()) importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
self.assertTrue(importer.validate()[0]) validation, logs = importer.validate()
self.assertTrue(validation, logs)
self.assertTrue(importer.apply()) self.assertTrue(importer.apply())
return tester return tester

8
authentik/brands/middleware.py
View File

@ -4,7 +4,7 @@ from collections.abc import Callable
from django.http.request import HttpRequest from django.http.request import HttpRequest
from django.http.response import HttpResponse from django.http.response import HttpResponse
from django.utils.translation import activate from django.utils.translation import override
from authentik.brands.utils import get_brand_for_request from authentik.brands.utils import get_brand_for_request
@ -18,10 +18,12 @@ class BrandMiddleware:
self.get_response = get_response self.get_response = get_response
def __call__(self, request: HttpRequest) -> HttpResponse: def __call__(self, request: HttpRequest) -> HttpResponse:
locale_to_set = None
if not hasattr(request, "brand"): if not hasattr(request, "brand"):
brand = get_brand_for_request(request) brand = get_brand_for_request(request)
request.brand = brand request.brand = brand
locale = brand.default_locale locale = brand.default_locale
if locale != "": if locale != "":
activate(locale) locale_to_set = locale
return self.get_response(request) with override(locale_to_set):
return self.get_response(request)

7
authentik/core/api/devices.py
View File

@ -1,5 +1,6 @@
"""Authenticator Devices API Views""" """Authenticator Devices API Views"""
from django.utils.translation import gettext_lazy as _
from drf_spectacular.types import OpenApiTypes from drf_spectacular.types import OpenApiTypes
from drf_spectacular.utils import OpenApiParameter, extend_schema from drf_spectacular.utils import OpenApiParameter, extend_schema
from rest_framework.fields import ( from rest_framework.fields import (
@ -40,7 +41,11 @@ class DeviceSerializer(MetaNameSerializer):
def get_extra_description(self, instance: Device) -> str: def get_extra_description(self, instance: Device) -> str:
"""Get extra description""" """Get extra description"""
if isinstance(instance, WebAuthnDevice): if isinstance(instance, WebAuthnDevice):
return instance.device_type.description return (
instance.device_type.description
if instance.device_type
else _("Extra description not available")
)
if isinstance(instance, EndpointDevice): if isinstance(instance, EndpointDevice):
return instance.data.get("deviceSignals", {}).get("deviceModel") return instance.data.get("deviceSignals", {}).get("deviceModel")
return "" return ""

8
authentik/core/middleware.py
View File

@ -5,7 +5,7 @@ from contextvars import ContextVar
from uuid import uuid4 from uuid import uuid4
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.utils.translation import activate from django.utils.translation import override
from sentry_sdk.api import set_tag from sentry_sdk.api import set_tag
from structlog.contextvars import STRUCTLOG_KEY_PREFIX from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -31,17 +31,19 @@ class ImpersonateMiddleware:
def __call__(self, request: HttpRequest) -> HttpResponse: def __call__(self, request: HttpRequest) -> HttpResponse:
# No permission checks are done here, they need to be checked before # No permission checks are done here, they need to be checked before
# SESSION_KEY_IMPERSONATE_USER is set. # SESSION_KEY_IMPERSONATE_USER is set.
locale_to_set = None
if request.user.is_authenticated: if request.user.is_authenticated:
locale = request.user.locale(request) locale = request.user.locale(request)
if locale != "": if locale != "":
activate(locale) locale_to_set = locale
if SESSION_KEY_IMPERSONATE_USER in request.session: if SESSION_KEY_IMPERSONATE_USER in request.session:
request.user = request.session[SESSION_KEY_IMPERSONATE_USER] request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
# Ensure that the user is active, otherwise nothing will work # Ensure that the user is active, otherwise nothing will work
request.user.is_active = True request.user.is_active = True
return self.get_response(request) with override(locale_to_set):
return self.get_response(request)
class RequestIDMiddleware: class RequestIDMiddleware:

5
authentik/core/sources/flow_manager.py
View File

@ -129,6 +129,11 @@ class SourceFlowManager:
) )
new_connection.user = self.request.user new_connection.user = self.request.user
new_connection = self.update_user_connection(new_connection, **kwargs) new_connection = self.update_user_connection(new_connection, **kwargs)
if existing := self.user_connection_type.objects.filter(
source=self.source, identifier=self.identifier
).first():
existing = self.update_user_connection(existing)
return Action.AUTH, existing
return Action.LINK, new_connection return Action.LINK, new_connection
action, connection = self.matcher.get_user_action(self.identifier, self.user_properties) action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)

4
authentik/core/templates/base/skeleton.html
View File

@ -15,8 +15,8 @@
{% endblock %} {% endblock %}
<link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}"> <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
<link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject> <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
{% versioned_script "dist/poly-%v.js" %} <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
{% versioned_script "dist/standalone/loading/index-%v.js" %} <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
{% block head %} {% block head %}
{% endblock %} {% endblock %}
<meta name="sentry-trace" content="{{ sentry_trace }}" /> <meta name="sentry-trace" content="{{ sentry_trace }}" />

2
authentik/core/templates/if/admin.html
View File

@ -3,7 +3,7 @@
{% load authentik_core %} {% load authentik_core %}
{% block head %} {% block head %}
{% versioned_script "dist/admin/AdminInterface-%v.js" %} <script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)"> <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)"> <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
{% include "base/header_js.html" %} {% include "base/header_js.html" %}

2
authentik/core/templates/if/user.html
View File

@ -3,7 +3,7 @@
{% load authentik_core %} {% load authentik_core %}
{% block head %} {% block head %}
{% versioned_script "dist/user/UserInterface-%v.js" %} <script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)"> <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)"> <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
{% include "base/header_js.html" %} {% include "base/header_js.html" %}

9
authentik/core/templatetags/authentik_core.py
View File

@ -2,7 +2,6 @@
from django import template from django import template
from django.templatetags.static import static as static_loader from django.templatetags.static import static as static_loader
from django.utils.safestring import mark_safe
from authentik import get_full_version from authentik import get_full_version
@ -12,10 +11,4 @@ register = template.Library()
@register.simple_tag() @register.simple_tag()
def versioned_script(path: str) -> str: def versioned_script(path: str) -> str:
"""Wrapper around {% static %} tag that supports setting the version""" """Wrapper around {% static %} tag that supports setting the version"""
returned_lines = [ return static_loader(path.replace("%v", get_full_version()))
(
f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
'" type="module"></script>'
),
]
return mark_safe("".join(returned_lines)) # nosec

4
authentik/core/tests/test_applications_api.py
View File

@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.lib.generators import generate_id from authentik.lib.generators import generate_id
from authentik.policies.dummy.models import DummyPolicy from authentik.policies.dummy.models import DummyPolicy
from authentik.policies.models import PolicyBinding from authentik.policies.models import PolicyBinding
from authentik.providers.oauth2.models import OAuth2Provider from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
from authentik.providers.proxy.models import ProxyProvider from authentik.providers.proxy.models import ProxyProvider
from authentik.providers.saml.models import SAMLProvider from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
self.user = create_test_admin_user() self.user = create_test_admin_user()
self.provider = OAuth2Provider.objects.create( self.provider = OAuth2Provider.objects.create(
name="test", name="test",
redirect_uris="http://some-other-domain", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
) )
self.allowed: Application = Application.objects.create( self.allowed: Application = Application.objects.create(

16
authentik/core/tests/test_source_flow_manager.py
View File

@ -81,6 +81,22 @@ class TestSourceFlowManager(TestCase):
reverse("authentik_core:if-user") + "#/settings;page-sources", reverse("authentik_core:if-user") + "#/settings;page-sources",
) )
def test_authenticated_auth(self):
"""Test authenticated user linking"""
user = User.objects.create(username="foo", email="foo@bar.baz")
UserOAuthSourceConnection.objects.create(
user=user, source=self.source, identifier=self.identifier
)
request = get_request("/", user=user)
flow_manager = OAuthSourceFlowManager(
self.source, request, self.identifier, {"info": {}}, {}
)
action, connection = flow_manager.get_action()
self.assertEqual(action, Action.AUTH)
self.assertIsNotNone(connection.pk)
response = flow_manager.get_flow()
self.assertEqual(response.status_code, 302)
def test_unauthenticated_link(self): def test_unauthenticated_link(self):
"""Test un-authenticated user linking""" """Test un-authenticated user linking"""
flow_manager = OAuthSourceFlowManager( flow_manager = OAuthSourceFlowManager(

2
authentik/core/tests/test_transactional_applications_api.py
View File

@ -31,6 +31,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
"name": uid, "name": uid,
"authorization_flow": str(create_test_flow().pk), "authorization_flow": str(create_test_flow().pk),
"invalidation_flow": str(create_test_flow().pk), "invalidation_flow": str(create_test_flow().pk),
"redirect_uris": [],
}, },
}, },
) )
@ -57,6 +58,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
"name": uid, "name": uid,
"authorization_flow": "", "authorization_flow": "",
"invalidation_flow": "", "invalidation_flow": "",
"redirect_uris": [],
}, },
}, },
) )

11
authentik/crypto/api.py
View File

@ -24,6 +24,7 @@ from rest_framework.fields import (
from rest_framework.filters import OrderingFilter, SearchFilter from rest_framework.filters import OrderingFilter, SearchFilter
from rest_framework.request import Request from rest_framework.request import Request
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.validators import UniqueValidator
from rest_framework.viewsets import ModelViewSet from rest_framework.viewsets import ModelViewSet
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
@ -181,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer):
class CertificateGenerationSerializer(PassiveSerializer): class CertificateGenerationSerializer(PassiveSerializer):
"""Certificate generation parameters""" """Certificate generation parameters"""
common_name = CharField() common_name = CharField(
validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
source="name",
)
subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name")) subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
validity_days = IntegerField(initial=365) validity_days = IntegerField(initial=365)
alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices) alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@ -242,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
def generate(self, request: Request) -> Response: def generate(self, request: Request) -> Response:
"""Generate a new, self-signed certificate-key pair""" """Generate a new, self-signed certificate-key pair"""
data = CertificateGenerationSerializer(data=request.data) data = CertificateGenerationSerializer(data=request.data)
if not data.is_valid(): data.is_valid(raise_exception=True)
return Response(data.errors, status=400)
raw_san = data.validated_data.get("subject_alt_name", "") raw_san = data.validated_data.get("subject_alt_name", "")
sans = raw_san.split(",") if raw_san != "" else [] sans = raw_san.split(",") if raw_san != "" else []
builder = CertificateBuilder(data.validated_data["common_name"]) builder = CertificateBuilder(data.validated_data["name"])
builder.alg = data.validated_data["alg"] builder.alg = data.validated_data["alg"]
builder.build( builder.build(
subject_alt_names=sans, subject_alt_names=sans,

17
authentik/crypto/tests.py
View File

@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
from authentik.lib.config import CONFIG from authentik.lib.config import CONFIG
from authentik.lib.generators import generate_id, generate_key from authentik.lib.generators import generate_id, generate_key
from authentik.providers.oauth2.models import OAuth2Provider from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
class TestCrypto(APITestCase): class TestCrypto(APITestCase):
@ -89,6 +89,17 @@ class TestCrypto(APITestCase):
self.assertIsInstance(ext[1], DNSName) self.assertIsInstance(ext[1], DNSName)
self.assertEqual(ext[1].value, "baz") self.assertEqual(ext[1].value, "baz")
def test_builder_api_duplicate(self):
"""Test Builder (via API)"""
cert = create_test_cert()
self.client.force_login(create_test_admin_user())
res = self.client.post(
reverse("authentik_api:certificatekeypair-generate"),
data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
)
self.assertEqual(res.status_code, 400)
self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
def test_builder_api_empty_san(self): def test_builder_api_empty_san(self):
"""Test Builder (via API)""" """Test Builder (via API)"""
self.client.force_login(create_test_admin_user()) self.client.force_login(create_test_admin_user())
@ -263,7 +274,7 @@ class TestCrypto(APITestCase):
client_id="test", client_id="test",
client_secret=generate_key(), client_secret=generate_key(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=keypair, signing_key=keypair,
) )
response = self.client.get( response = self.client.get(
@ -295,7 +306,7 @@ class TestCrypto(APITestCase):
client_id="test", client_id="test",
client_secret=generate_key(), client_secret=generate_key(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=keypair, signing_key=keypair,
) )
response = self.client.get( response = self.client.get(

19
authentik/enterprise/providers/rac/api/providers.py
View File

@ -16,13 +16,28 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
class Meta: class Meta:
model = RACProvider model = RACProvider
fields = ProviderSerializer.Meta.fields + [ fields = [
"pk",
"name",
"authentication_flow",
"authorization_flow",
"property_mappings",
"component",
"assigned_application_slug",
"assigned_application_name",
"assigned_backchannel_application_slug",
"assigned_backchannel_application_name",
"verbose_name",
"verbose_name_plural",
"meta_model_name",
"settings", "settings",
"outpost_set", "outpost_set",
"connection_expiry", "connection_expiry",
"delete_token_on_disconnect", "delete_token_on_disconnect",
] ]
extra_kwargs = ProviderSerializer.Meta.extra_kwargs extra_kwargs = {
"authorization_flow": {"required": True, "allow_null": False},
}
class RACProviderViewSet(UsedByMixin, ModelViewSet): class RACProviderViewSet(UsedByMixin, ModelViewSet):

2
authentik/enterprise/providers/rac/templates/if/rac.html
View File

@ -3,7 +3,7 @@
{% load authentik_core %} {% load authentik_core %}
{% block head %} {% block head %}
{% versioned_script "dist/enterprise/rac/index-%v.js" %} <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)"> <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)"> <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
<link rel="icon" href="{{ tenant.branding_favicon }}"> <link rel="icon" href="{{ tenant.branding_favicon }}">

46
authentik/enterprise/providers/rac/tests/test_api.py Normal file
View File

@ -0,0 +1,46 @@
"""Test RAC Provider"""
from datetime import timedelta
from time import mktime
from unittest.mock import MagicMock, patch
from django.urls import reverse
from django.utils.timezone import now
from rest_framework.test import APITestCase
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.enterprise.license import LicenseKey
from authentik.enterprise.models import License
from authentik.lib.generators import generate_id
class TestAPI(APITestCase):
"""Test Provider API"""
def setUp(self) -> None:
self.user = create_test_admin_user()
@patch(
"authentik.enterprise.license.LicenseKey.validate",
MagicMock(
return_value=LicenseKey(
aud="",
exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
name=generate_id(),
internal_users=100,
external_users=100,
)
),
)
def test_create(self):
"""Test creation of RAC Provider"""
License.objects.create(key=generate_id())
self.client.force_login(self.user)
response = self.client.post(
reverse("authentik_api:racprovider-list"),
data={
"name": generate_id(),
"authorization_flow": create_test_flow().pk,
},
)
self.assertEqual(response.status_code, 201)

3
authentik/enterprise/providers/rac/tests/test_endpoints_api.py
View File

@ -68,7 +68,6 @@ class TestEndpointsAPI(APITestCase):
"name": self.provider.name, "name": self.provider.name,
"authentication_flow": None, "authentication_flow": None,
"authorization_flow": None, "authorization_flow": None,
"invalidation_flow": None,
"property_mappings": [], "property_mappings": [],
"connection_expiry": "hours=8", "connection_expiry": "hours=8",
"delete_token_on_disconnect": False, "delete_token_on_disconnect": False,
@ -121,7 +120,6 @@ class TestEndpointsAPI(APITestCase):
"name": self.provider.name, "name": self.provider.name,
"authentication_flow": None, "authentication_flow": None,
"authorization_flow": None, "authorization_flow": None,
"invalidation_flow": None,
"property_mappings": [], "property_mappings": [],
"component": "ak-provider-rac-form", "component": "ak-provider-rac-form",
"assigned_application_slug": self.app.slug, "assigned_application_slug": self.app.slug,
@ -151,7 +149,6 @@ class TestEndpointsAPI(APITestCase):
"name": self.provider.name, "name": self.provider.name,
"authentication_flow": None, "authentication_flow": None,
"authorization_flow": None, "authorization_flow": None,
"invalidation_flow": None,
"property_mappings": [], "property_mappings": [],
"component": "ak-provider-rac-form", "component": "ak-provider-rac-form",
"assigned_application_slug": self.app.slug, "assigned_application_slug": self.app.slug,

2
authentik/flows/templates/if/flow.html
View File

@ -18,7 +18,7 @@ window.authentik.flow = {
{% endblock %} {% endblock %}
{% block head %} {% block head %}
{% versioned_script "dist/flow/FlowInterface-%v.js" %} <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
<style> <style>
:root { :root {
--ak-flow-background: url("{{ flow.background_url }}"); --ak-flow-background: url("{{ flow.background_url }}");

4
authentik/policies/password/models.py
View File

@ -89,6 +89,10 @@ class PasswordPolicy(Policy):
def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult: def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
"""Check static rules""" """Check static rules"""
error_message = self.error_message
if error_message == "":
error_message = _("Invalid password.")
if len(password) < self.length_min: if len(password) < self.length_min:
LOGGER.debug("password failed", check="static", reason="length") LOGGER.debug("password failed", check="static", reason="length")
return PolicyResult(False, self.error_message) return PolicyResult(False, self.error_message)

5
authentik/providers/ldap/api.py
View File

@ -159,7 +159,10 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
access_response = PolicyResult(result.passing) access_response = PolicyResult(result.passing)
response = self.LDAPCheckAccessSerializer( response = self.LDAPCheckAccessSerializer(
instance={ instance={
"has_search_permission": request.user.has_perm("search_full_directory", provider), "has_search_permission": (
request.user.has_perm("search_full_directory", provider)
or request.user.has_perm("authentik_providers_ldap.search_full_directory")
),
"access": access_response, "access": access_response,
} }
) )

34
authentik/providers/oauth2/api/providers.py
View File

@ -1,15 +1,18 @@
"""OAuth2Provider API Views""" """OAuth2Provider API Views"""
from copy import copy from copy import copy
from re import compile
from re import error as RegexError
from django.urls import reverse from django.urls import reverse
from django.utils import timezone from django.utils import timezone
from django.utils.translation import gettext_lazy as _
from drf_spectacular.types import OpenApiTypes from drf_spectacular.types import OpenApiTypes
from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
from guardian.shortcuts import get_objects_for_user from guardian.shortcuts import get_objects_for_user
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.exceptions import ValidationError from rest_framework.exceptions import ValidationError
from rest_framework.fields import CharField from rest_framework.fields import CharField, ChoiceField
from rest_framework.generics import get_object_or_404 from rest_framework.generics import get_object_or_404
from rest_framework.request import Request from rest_framework.request import Request
from rest_framework.response import Response from rest_framework.response import Response
@ -20,13 +23,39 @@ from authentik.core.api.used_by import UsedByMixin
from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
from authentik.core.models import Provider from authentik.core.models import Provider
from authentik.providers.oauth2.id_token import IDToken from authentik.providers.oauth2.id_token import IDToken
from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
AccessToken,
OAuth2Provider,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.rbac.decorators import permission_required from authentik.rbac.decorators import permission_required
class RedirectURISerializer(PassiveSerializer):
"""A single allowed redirect URI entry"""
matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
url = CharField()
class OAuth2ProviderSerializer(ProviderSerializer): class OAuth2ProviderSerializer(ProviderSerializer):
"""OAuth2Provider Serializer""" """OAuth2Provider Serializer"""
redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
def validate_redirect_uris(self, data: list) -> list:
for entry in data:
if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
url = entry.get("url")
try:
compile(url)
except RegexError:
raise ValidationError(
_("Invalid Regex Pattern: {url}".format(url=url))
) from None
return data
class Meta: class Meta:
model = OAuth2Provider model = OAuth2Provider
fields = ProviderSerializer.Meta.fields + [ fields = ProviderSerializer.Meta.fields + [
@ -79,7 +108,6 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
"refresh_token_validity", "refresh_token_validity",
"include_claims_in_id_token", "include_claims_in_id_token",
"signing_key", "signing_key",
"redirect_uris",
"sub_mode", "sub_mode",
"property_mappings", "property_mappings",
"issuer_mode", "issuer_mode",

6
authentik/providers/oauth2/errors.py
View File

@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
from authentik.events.models import Event, EventAction from authentik.events.models import Event, EventAction
from authentik.lib.sentry import SentryIgnoredException from authentik.lib.sentry import SentryIgnoredException
from authentik.lib.views import bad_request_message from authentik.lib.views import bad_request_message
from authentik.providers.oauth2.models import GrantTypes from authentik.providers.oauth2.models import GrantTypes, RedirectURI
class OAuth2Error(SentryIgnoredException): class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
) )
provided_uri: str provided_uri: str
allowed_uris: list[str] allowed_uris: list[RedirectURI]
def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None: def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
super().__init__() super().__init__()
self.provided_uri = provided_uri self.provided_uri = provided_uri
self.allowed_uris = allowed_uris self.allowed_uris = allowed_uris

23
authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
View File

@ -11,13 +11,16 @@ class Migration(migrations.Migration):
migrations.swappable_dependency(settings.AUTH_USER_MODEL), migrations.swappable_dependency(settings.AUTH_USER_MODEL),
] ]
operations = [ # Original preserved
migrations.AddIndex( # See https://github.com/goauthentik/authentik/issues/11874
model_name="accesstoken", # operations = [
index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"), # migrations.AddIndex(
), # model_name="accesstoken",
migrations.AddIndex( # index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
model_name="refreshtoken", # ),
index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"), # migrations.AddIndex(
), # model_name="refreshtoken",
] # index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
# ),
# ]
operations = []

39
authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
View File

@ -11,21 +11,24 @@ class Migration(migrations.Migration):
migrations.swappable_dependency(settings.AUTH_USER_MODEL), migrations.swappable_dependency(settings.AUTH_USER_MODEL),
] ]
operations = [ # Original preserved
migrations.RemoveIndex( # See https://github.com/goauthentik/authentik/issues/11874
model_name="accesstoken", # operations = [
name="authentik_p_token_4bc870_idx", # migrations.RemoveIndex(
), # model_name="accesstoken",
migrations.RemoveIndex( # name="authentik_p_token_4bc870_idx",
model_name="refreshtoken", # ),
name="authentik_p_token_1a841f_idx", # migrations.RemoveIndex(
), # model_name="refreshtoken",
migrations.AddIndex( # name="authentik_p_token_1a841f_idx",
model_name="accesstoken", # ),
index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"), # migrations.AddIndex(
), # model_name="accesstoken",
migrations.AddIndex( # index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
model_name="refreshtoken", # ),
index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"), # migrations.AddIndex(
), # model_name="refreshtoken",
] # index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
# ),
# ]
operations = []

31
authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py Normal file
View File

@ -0,0 +1,31 @@
# Generated by Django 5.0.9 on 2024-10-31 14:28
import django.contrib.postgres.indexes
from django.conf import settings
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
("authentik_core", "0040_provider_invalidation_flow"),
("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
]
operations = [
migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"),
migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"),
migrations.AddIndex(
model_name="accesstoken",
index=django.contrib.postgres.indexes.HashIndex(
fields=["token"], name="authentik_p_token_e00883_hash"
),
),
migrations.AddIndex(
model_name="refreshtoken",
index=django.contrib.postgres.indexes.HashIndex(
fields=["token"], name="authentik_p_token_32e2b7_hash"
),
),
]

48
authentik/providers/oauth2/migrations/0024_remove_oauth2provider_redirect_uris_and_more.py Normal file
View File

@ -0,0 +1,48 @@
# Generated by Django 5.0.9 on 2024-11-04 12:56
from django.apps.registry import Apps
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
from django.db import migrations, models
def migrate_redirect_uris(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
from authentik.providers.oauth2.models import RedirectURI, RedirectURIMatchingMode
OAuth2Provider = apps.get_model("authentik_providers_oauth2", "oauth2provider")
db_alias = schema_editor.connection.alias
for provider in OAuth2Provider.objects.using(db_alias).all():
uris = []
for old in provider.old_redirect_uris.split("\n"):
mode = RedirectURIMatchingMode.STRICT
if old == "*" or old == ".*":
mode = RedirectURIMatchingMode.REGEX
uris.append(RedirectURI(mode, url=old))
provider.redirect_uris = uris
provider.save()
class Migration(migrations.Migration):
dependencies = [
("authentik_providers_oauth2", "0023_alter_accesstoken_refreshtoken_use_hash_index"),
]
operations = [
migrations.RenameField(
model_name="oauth2provider",
old_name="redirect_uris",
new_name="old_redirect_uris",
),
migrations.AddField(
model_name="oauth2provider",
name="_redirect_uris",
field=models.JSONField(default=dict, verbose_name="Redirect URIs"),
),
migrations.RunPython(migrate_redirect_uris, lambda *args: ...),
migrations.RemoveField(
model_name="oauth2provider",
name="old_redirect_uris",
),
]

57
authentik/providers/oauth2/models.py
View File

@ -3,7 +3,7 @@
import base64 import base64
import binascii import binascii
import json import json
from dataclasses import asdict from dataclasses import asdict, dataclass
from functools import cached_property from functools import cached_property
from hashlib import sha256 from hashlib import sha256
from typing import Any from typing import Any
@ -12,7 +12,9 @@ from urllib.parse import urlparse, urlunparse
from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
from dacite import Config
from dacite.core import from_dict from dacite.core import from_dict
from django.contrib.postgres.indexes import HashIndex
from django.db import models from django.db import models
from django.http import HttpRequest from django.http import HttpRequest
from django.templatetags.static import static from django.templatetags.static import static
@ -76,11 +78,25 @@ class IssuerMode(models.TextChoices):
"""Configure how the `iss` field is created.""" """Configure how the `iss` field is created."""
GLOBAL = "global", _("Same identifier is used for all providers") GLOBAL = "global", _("Same identifier is used for all providers")
PER_PROVIDER = "per_provider", _( PER_PROVIDER = (
"Each provider has a different issuer, based on the application slug." "per_provider",
_("Each provider has a different issuer, based on the application slug."),
) )
class RedirectURIMatchingMode(models.TextChoices):
STRICT = "strict", _("Strict URL comparison")
REGEX = "regex", _("Regular Expression URL matching")
@dataclass
class RedirectURI:
"""A single redirect URI entry"""
matching_mode: RedirectURIMatchingMode
url: str
class ResponseTypes(models.TextChoices): class ResponseTypes(models.TextChoices):
"""Response Type required by the client.""" """Response Type required by the client."""
@ -155,11 +171,9 @@ class OAuth2Provider(WebfingerProvider, Provider):
verbose_name=_("Client Secret"), verbose_name=_("Client Secret"),
default=generate_client_secret, default=generate_client_secret,
) )
redirect_uris = models.TextField( _redirect_uris = models.JSONField(
default="", default=dict,
blank=True,
verbose_name=_("Redirect URIs"), verbose_name=_("Redirect URIs"),
help_text=_("Enter each URI on a new line."),
) )
include_claims_in_id_token = models.BooleanField( include_claims_in_id_token = models.BooleanField(
@ -270,12 +284,33 @@ class OAuth2Provider(WebfingerProvider, Provider):
except Provider.application.RelatedObjectDoesNotExist: except Provider.application.RelatedObjectDoesNotExist:
return None return None
@property
def redirect_uris(self) -> list[RedirectURI]:
uris = []
for entry in self._redirect_uris:
uris.append(
from_dict(
RedirectURI,
entry,
config=Config(type_hooks={RedirectURIMatchingMode: RedirectURIMatchingMode}),
)
)
return uris
@redirect_uris.setter
def redirect_uris(self, value: list[RedirectURI]):
cleansed = []
for entry in value:
cleansed.append(asdict(entry))
self._redirect_uris = cleansed
@property @property
def launch_url(self) -> str | None: def launch_url(self) -> str | None:
"""Guess launch_url based on first redirect_uri""" """Guess launch_url based on first redirect_uri"""
if self.redirect_uris == "": redirects = self.redirect_uris
if len(redirects) < 1:
return None return None
main_url = self.redirect_uris.split("\n", maxsplit=1)[0] main_url = redirects[0].url
try: try:
launch_url = urlparse(main_url)._replace(path="") launch_url = urlparse(main_url)._replace(path="")
return urlunparse(launch_url) return urlunparse(launch_url)
@ -418,7 +453,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
class Meta: class Meta:
indexes = [ indexes = [
models.Index(fields=["token", "provider"]), HashIndex(fields=["token"]),
] ]
verbose_name = _("OAuth2 Access Token") verbose_name = _("OAuth2 Access Token")
verbose_name_plural = _("OAuth2 Access Tokens") verbose_name_plural = _("OAuth2 Access Tokens")
@ -464,7 +499,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):
class Meta: class Meta:
indexes = [ indexes = [
models.Index(fields=["token", "provider"]), HashIndex(fields=["token"]),
] ]
verbose_name = _("OAuth2 Refresh Token") verbose_name = _("OAuth2 Refresh Token")
verbose_name_plural = _("OAuth2 Refresh Tokens") verbose_name_plural = _("OAuth2 Refresh Tokens")

36
authentik/providers/oauth2/tests/test_api.py
View File

@ -10,7 +10,13 @@ from rest_framework.test import APITestCase
from authentik.blueprints.tests import apply_blueprint from authentik.blueprints.tests import apply_blueprint
from authentik.core.models import Application from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
class TestAPI(APITestCase): class TestAPI(APITestCase):
@ -21,7 +27,7 @@ class TestAPI(APITestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create( self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name="test", name="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
) )
self.provider.property_mappings.set(ScopeMapping.objects.all()) self.provider.property_mappings.set(ScopeMapping.objects.all())
self.app = Application.objects.create(name="test", slug="test", provider=self.provider) self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
@ -50,9 +56,29 @@ class TestAPI(APITestCase):
@skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up") @skipUnless(version_info >= (3, 11, 4), "This behaviour is only Python 3.11.4 and up")
def test_launch_url(self): def test_launch_url(self):
"""Test launch_url""" """Test launch_url"""
self.provider.redirect_uris = ( self.provider.redirect_uris = [
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/\n" RedirectURI(
) RedirectURIMatchingMode.REGEX,
"https://[\\d\\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/",
),
]
self.provider.save() self.provider.save()
self.provider.refresh_from_db() self.provider.refresh_from_db()
self.assertIsNone(self.provider.launch_url) self.assertIsNone(self.provider.launch_url)
def test_validate_redirect_uris(self):
"""Test redirect_uris API"""
response = self.client.post(
reverse("authentik_api:oauth2provider-list"),
data={
"name": generate_id(),
"authorization_flow": create_test_flow().pk,
"invalidation_flow": create_test_flow().pk,
"redirect_uris": [
{"matching_mode": "strict", "url": "http://goauthentik.io"},
{"matching_mode": "regex", "url": "**"},
],
},
)
self.assertJSONEqual(response.content, {"redirect_uris": ["Invalid Regex Pattern: **"]})
self.assertEqual(response.status_code, 400)

32
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -19,6 +19,8 @@ from authentik.providers.oauth2.models import (
AuthorizationCode, AuthorizationCode,
GrantTypes, GrantTypes,
OAuth2Provider, OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping, ScopeMapping,
) )
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -39,7 +41,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid/Foo", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
) )
with self.assertRaises(AuthorizeError): with self.assertRaises(AuthorizeError):
request = self.factory.get( request = self.factory.get(
@ -64,7 +66,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid/Foo", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
) )
with self.assertRaises(AuthorizeError): with self.assertRaises(AuthorizeError):
request = self.factory.get( request = self.factory.get(
@ -84,7 +86,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
) )
with self.assertRaises(RedirectUriError): with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -106,7 +108,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="data:local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
) )
with self.assertRaises(RedirectUriError): with self.assertRaises(RedirectUriError):
request = self.factory.get( request = self.factory.get(
@ -125,7 +127,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="", redirect_uris=[],
) )
with self.assertRaises(RedirectUriError): with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -140,7 +142,7 @@ class TestAuthorize(OAuthTestCase):
) )
OAuthAuthorizationParams.from_request(request) OAuthAuthorizationParams.from_request(request)
provider.refresh_from_db() provider.refresh_from_db()
self.assertEqual(provider.redirect_uris, "+") self.assertEqual(provider.redirect_uris, [RedirectURI(RedirectURIMatchingMode.STRICT, "+")])
def test_invalid_redirect_uri_regex(self): def test_invalid_redirect_uri_regex(self):
"""test missing/invalid redirect URI""" """test missing/invalid redirect URI"""
@ -148,7 +150,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid?", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
) )
with self.assertRaises(RedirectUriError): with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -170,7 +172,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="+", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
) )
with self.assertRaises(RedirectUriError): with self.assertRaises(RedirectUriError):
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"}) request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
@ -213,7 +215,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid/Foo", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(
@ -301,7 +303,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="foo://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100", access_code_validity="seconds=100",
) )
Application.objects.create(name="app", slug="app", provider=provider) Application.objects.create(name="app", slug="app", provider=provider)
@ -343,7 +345,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair, signing_key=self.keypair,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -420,7 +422,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair, signing_key=self.keypair,
encryption_key=self.keypair, encryption_key=self.keypair,
) )
@ -486,7 +488,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair, signing_key=self.keypair,
) )
Application.objects.create(name="app", slug="app", provider=provider) Application.objects.create(name="app", slug="app", provider=provider)
@ -541,7 +543,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id=generate_id(), client_id=generate_id(),
authorization_flow=flow, authorization_flow=flow,
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair, signing_key=self.keypair,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -599,7 +601,7 @@ class TestAuthorize(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id=generate_id(), client_id=generate_id(),
authorization_flow=flow, authorization_flow=flow,
redirect_uris="http://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
signing_key=self.keypair, signing_key=self.keypair,
) )
app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider) app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)

76
authentik/providers/oauth2/tests/test_device_init.py
View File

@ -3,6 +3,7 @@
from urllib.parse import urlencode from urllib.parse import urlencode
from django.urls import reverse from django.urls import reverse
from rest_framework.test import APIClient
from authentik.core.models import Application, Group from authentik.core.models import Application, Group
from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
@ -34,7 +35,10 @@ class TesOAuth2DeviceInit(OAuthTestCase):
self.brand.flow_device_code = self.device_flow self.brand.flow_device_code = self.device_flow
self.brand.save() self.brand.save()
def test_device_init(self): self.api_client = APIClient()
self.api_client.force_login(self.user)
def test_device_init_get(self):
"""Test device init""" """Test device init"""
res = self.client.get(reverse("authentik_providers_oauth2_root:device-login")) res = self.client.get(reverse("authentik_providers_oauth2_root:device-login"))
self.assertEqual(res.status_code, 302) self.assertEqual(res.status_code, 302)
@ -48,6 +52,76 @@ class TesOAuth2DeviceInit(OAuthTestCase):
), ),
) )
def test_device_init_post(self):
"""Test device init"""
res = self.api_client.get(reverse("authentik_providers_oauth2_root:device-login"))
self.assertEqual(res.status_code, 302)
self.assertEqual(
res.url,
reverse(
"authentik_core:if-flow",
kwargs={
"flow_slug": self.device_flow.slug,
},
),
)
res = self.api_client.get(
reverse(
"authentik_api:flow-executor",
kwargs={
"flow_slug": self.device_flow.slug,
},
),
)
self.assertEqual(res.status_code, 200)
self.assertJSONEqual(
res.content,
{
"component": "ak-provider-oauth2-device-code",
"flow_info": {
"background": "/static/dist/assets/images/flow_background.jpg",
"cancel_url": "/flows/-/cancel/",
"layout": "stacked",
"title": self.device_flow.title,
},
},
)
provider = OAuth2Provider.objects.create(
name=generate_id(),
authorization_flow=create_test_flow(),
)
Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
token = DeviceToken.objects.create(
provider=provider,
)
res = self.api_client.post(
reverse(
"authentik_api:flow-executor",
kwargs={
"flow_slug": self.device_flow.slug,
},
),
data={
"component": "ak-provider-oauth2-device-code",
"code": token.user_code,
},
)
self.assertEqual(res.status_code, 200)
self.assertJSONEqual(
res.content,
{
"component": "xak-flow-redirect",
"to": reverse(
"authentik_core:if-flow",
kwargs={
"flow_slug": provider.authorization_flow.slug,
},
),
},
)
def test_no_flow(self): def test_no_flow(self):
"""Test no flow""" """Test no flow"""
self.brand.flow_device_code = None self.brand.flow_device_code = None

13
authentik/providers/oauth2/tests/test_introspect.py
View File

@ -11,7 +11,14 @@ from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_id from authentik.lib.generators import generate_id
from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT from authentik.providers.oauth2.constants import ACR_AUTHENTIK_DEFAULT
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken from authentik.providers.oauth2.models import (
AccessToken,
IDToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -23,7 +30,7 @@ class TesOAuth2Introspection(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create( self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.app = Application.objects.create( self.app = Application.objects.create(
@ -118,7 +125,7 @@ class TesOAuth2Introspection(OAuthTestCase):
provider: OAuth2Provider = OAuth2Provider.objects.create( provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()

12
authentik/providers/oauth2/tests/test_jwks.py
View File

@ -13,7 +13,7 @@ from authentik.core.tests.utils import create_test_cert, create_test_flow
from authentik.crypto.builder import PrivateKeyAlg from authentik.crypto.builder import PrivateKeyAlg
from authentik.crypto.models import CertificateKeyPair from authentik.crypto.models import CertificateKeyPair
from authentik.lib.generators import generate_id from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import OAuth2Provider from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
TEST_CORDS_CERT = """ TEST_CORDS_CERT = """
@ -49,7 +49,7 @@ class TestJWKS(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
app = Application.objects.create(name="test", slug="test", provider=provider) app = Application.objects.create(name="test", slug="test", provider=provider)
@ -68,7 +68,7 @@ class TestJWKS(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
) )
app = Application.objects.create(name="test", slug="test", provider=provider) app = Application.objects.create(name="test", slug="test", provider=provider)
response = self.client.get( response = self.client.get(
@ -82,7 +82,7 @@ class TestJWKS(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=create_test_cert(PrivateKeyAlg.ECDSA), signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
) )
app = Application.objects.create(name="test", slug="test", provider=provider) app = Application.objects.create(name="test", slug="test", provider=provider)
@ -99,7 +99,7 @@ class TestJWKS(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=create_test_cert(PrivateKeyAlg.ECDSA), signing_key=create_test_cert(PrivateKeyAlg.ECDSA),
encryption_key=create_test_cert(PrivateKeyAlg.ECDSA), encryption_key=create_test_cert(PrivateKeyAlg.ECDSA),
) )
@ -122,7 +122,7 @@ class TestJWKS(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=cert, signing_key=cert,
) )
app = Application.objects.create(name="test", slug="test", provider=provider) app = Application.objects.create(name="test", slug="test", provider=provider)

11
authentik/providers/oauth2/tests/test_revoke.py
View File

@ -10,7 +10,14 @@ from django.utils import timezone
from authentik.core.models import Application from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_id from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, RefreshToken from authentik.providers.oauth2.models import (
AccessToken,
IDToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -22,7 +29,7 @@ class TesOAuth2Revoke(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create( self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.app = Application.objects.create( self.app = Application.objects.create(

18
authentik/providers/oauth2/tests/test_token.py
View File

@ -22,6 +22,8 @@ from authentik.providers.oauth2.models import (
AccessToken, AccessToken,
AuthorizationCode, AuthorizationCode,
OAuth2Provider, OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
RefreshToken, RefreshToken,
ScopeMapping, ScopeMapping,
) )
@ -42,7 +44,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://TestServer", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://TestServer")],
signing_key=self.keypair, signing_key=self.keypair,
) )
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -69,7 +71,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=self.keypair, signing_key=self.keypair,
) )
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -90,7 +92,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair, signing_key=self.keypair,
) )
header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode() header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
@ -118,7 +120,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair, signing_key=self.keypair,
) )
# Needs to be assigned to an application for iss to be set # Needs to be assigned to an application for iss to be set
@ -157,7 +159,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair, signing_key=self.keypair,
encryption_key=self.keypair, encryption_key=self.keypair,
) )
@ -188,7 +190,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair, signing_key=self.keypair,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -250,7 +252,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
signing_key=self.keypair, signing_key=self.keypair,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -308,7 +310,7 @@ class TestToken(OAuthTestCase):
provider = OAuth2Provider.objects.create( provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=self.keypair, signing_key=self.keypair,
) )
provider.property_mappings.set( provider.property_mappings.set(

9
authentik/providers/oauth2/tests/test_token_cc_jwt_source.py
View File

@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_PROFILE, SCOPE_OPENID_PROFILE,
TOKEN_TYPE, TOKEN_TYPE,
) )
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
from authentik.providers.oauth2.views.jwks import JWKSView from authentik.providers.oauth2.views.jwks import JWKSView
from authentik.sources.oauth.models import OAuthSource from authentik.sources.oauth.models import OAuthSource
@ -54,7 +59,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create( self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name="test", name="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=self.cert, signing_key=self.cert,
) )
self.provider.jwks_sources.add(self.source) self.provider.jwks_sources.add(self.source)

52
authentik/providers/oauth2/tests/test_token_cc_standard.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
TOKEN_TYPE, TOKEN_TYPE,
) )
from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.errors import TokenError
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
AccessToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -33,7 +39,7 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
self.provider = OAuth2Provider.objects.create( self.provider = OAuth2Provider.objects.create(
name="test", name="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.provider.property_mappings.set(ScopeMapping.objects.all()) self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -107,6 +113,48 @@ class TestTokenClientCredentialsStandard(OAuthTestCase):
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
) )
def test_incorrect_scopes(self):
"""test scope that isn't configured"""
response = self.client.post(
reverse("authentik_providers_oauth2:token"),
{
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
"scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE} extra_scope",
"client_id": self.provider.client_id,
"client_secret": self.provider.client_secret,
},
)
self.assertEqual(response.status_code, 200)
body = loads(response.content.decode())
self.assertEqual(body["token_type"], TOKEN_TYPE)
token = AccessToken.objects.filter(
provider=self.provider, token=body["access_token"]
).first()
self.assertSetEqual(
set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE}
)
_, alg = self.provider.jwt_key
jwt = decode(
body["access_token"],
key=self.provider.signing_key.public_key,
algorithms=[alg],
audience=self.provider.client_id,
)
self.assertEqual(
jwt["given_name"], "Autogenerated user from application test (client credentials)"
)
self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
jwt = decode(
body["id_token"],
key=self.provider.signing_key.public_key,
algorithms=[alg],
audience=self.provider.client_id,
)
self.assertEqual(
jwt["given_name"], "Autogenerated user from application test (client credentials)"
)
self.assertEqual(jwt["preferred_username"], "ak-test-client_credentials")
def test_successful(self): def test_successful(self):
"""test successful""" """test successful"""
response = self.client.post( response = self.client.post(

9
authentik/providers/oauth2/tests/test_token_cc_standard_compat.py
View File

@ -20,7 +20,12 @@ from authentik.providers.oauth2.constants import (
TOKEN_TYPE, TOKEN_TYPE,
) )
from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.errors import TokenError
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -34,7 +39,7 @@ class TestTokenClientCredentialsStandardCompat(OAuthTestCase):
self.provider = OAuth2Provider.objects.create( self.provider = OAuth2Provider.objects.create(
name="test", name="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.provider.property_mappings.set(ScopeMapping.objects.all()) self.provider.property_mappings.set(ScopeMapping.objects.all())

9
authentik/providers/oauth2/tests/test_token_cc_user_pw.py
View File

@ -19,7 +19,12 @@ from authentik.providers.oauth2.constants import (
TOKEN_TYPE, TOKEN_TYPE,
) )
from authentik.providers.oauth2.errors import TokenError from authentik.providers.oauth2.errors import TokenError
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -33,7 +38,7 @@ class TestTokenClientCredentialsUserNamePassword(OAuthTestCase):
self.provider = OAuth2Provider.objects.create( self.provider = OAuth2Provider.objects.create(
name="test", name="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.provider.property_mappings.set(ScopeMapping.objects.all()) self.provider.property_mappings.set(ScopeMapping.objects.all())

42
authentik/providers/oauth2/tests/test_token_device.py
View File

@ -9,8 +9,19 @@ from authentik.blueprints.tests import apply_blueprint
from authentik.core.models import Application from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.lib.generators import generate_code_fixed_length, generate_id from authentik.lib.generators import generate_code_fixed_length, generate_id
from authentik.providers.oauth2.constants import GRANT_TYPE_DEVICE_CODE from authentik.providers.oauth2.constants import (
from authentik.providers.oauth2.models import DeviceToken, OAuth2Provider, ScopeMapping GRANT_TYPE_DEVICE_CODE,
SCOPE_OPENID,
SCOPE_OPENID_EMAIL,
)
from authentik.providers.oauth2.models import (
AccessToken,
DeviceToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -24,7 +35,7 @@ class TestTokenDeviceCode(OAuthTestCase):
self.provider = OAuth2Provider.objects.create( self.provider = OAuth2Provider.objects.create(
name="test", name="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://testserver", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.provider.property_mappings.set(ScopeMapping.objects.all()) self.provider.property_mappings.set(ScopeMapping.objects.all())
@ -80,3 +91,28 @@ class TestTokenDeviceCode(OAuthTestCase):
}, },
) )
self.assertEqual(res.status_code, 200) self.assertEqual(res.status_code, 200)
def test_code_mismatched_scope(self):
"""Test code with user (mismatched scopes)"""
device_token = DeviceToken.objects.create(
provider=self.provider,
user_code=generate_code_fixed_length(),
device_code=generate_id(),
user=self.user,
scope=[SCOPE_OPENID, SCOPE_OPENID_EMAIL],
)
res = self.client.post(
reverse("authentik_providers_oauth2:token"),
data={
"client_id": self.provider.client_id,
"grant_type": GRANT_TYPE_DEVICE_CODE,
"device_code": device_token.device_code,
"scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} invalid",
},
)
self.assertEqual(res.status_code, 200)
body = loads(res.content)
token = AccessToken.objects.filter(
provider=self.provider, token=body["access_token"]
).first()
self.assertSetEqual(set(token.scope), {SCOPE_OPENID, SCOPE_OPENID_EMAIL})

15
authentik/providers/oauth2/tests/test_token_pkce.py
View File

@ -10,7 +10,12 @@ from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.lib.generators import generate_id from authentik.lib.generators import generate_id
from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider from authentik.providers.oauth2.models import (
AuthorizationCode,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -30,7 +35,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="foo://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100", access_code_validity="seconds=100",
) )
Application.objects.create(name="app", slug="app", provider=provider) Application.objects.create(name="app", slug="app", provider=provider)
@ -93,7 +98,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="foo://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100", access_code_validity="seconds=100",
) )
Application.objects.create(name="app", slug="app", provider=provider) Application.objects.create(name="app", slug="app", provider=provider)
@ -154,7 +159,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="foo://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100", access_code_validity="seconds=100",
) )
Application.objects.create(name="app", slug="app", provider=provider) Application.objects.create(name="app", slug="app", provider=provider)
@ -210,7 +215,7 @@ class TestTokenPKCE(OAuthTestCase):
name=generate_id(), name=generate_id(),
client_id="test", client_id="test",
authorization_flow=flow, authorization_flow=flow,
redirect_uris="foo://localhost", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "foo://localhost")],
access_code_validity="seconds=100", access_code_validity="seconds=100",
) )
Application.objects.create(name="app", slug="app", provider=provider) Application.objects.create(name="app", slug="app", provider=provider)

11
authentik/providers/oauth2/tests/test_userinfo.py
View File

@ -11,7 +11,14 @@ from authentik.core.models import Application
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
from authentik.events.models import Event, EventAction from authentik.events.models import Event, EventAction
from authentik.lib.generators import generate_id from authentik.lib.generators import generate_id
from authentik.providers.oauth2.models import AccessToken, IDToken, OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
AccessToken,
IDToken,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from authentik.providers.oauth2.tests.utils import OAuthTestCase from authentik.providers.oauth2.tests.utils import OAuthTestCase
@ -25,7 +32,7 @@ class TestUserinfo(OAuthTestCase):
self.provider: OAuth2Provider = OAuth2Provider.objects.create( self.provider: OAuth2Provider = OAuth2Provider.objects.create(
name=generate_id(), name=generate_id(),
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "")],
signing_key=create_test_cert(), signing_key=create_test_cert(),
) )
self.provider.property_mappings.set(ScopeMapping.objects.all()) self.provider.property_mappings.set(ScopeMapping.objects.all())

55
authentik/providers/oauth2/views/authorize.py
View File

@ -56,6 +56,8 @@ from authentik.providers.oauth2.models import (
AuthorizationCode, AuthorizationCode,
GrantTypes, GrantTypes,
OAuth2Provider, OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ResponseMode, ResponseMode,
ResponseTypes, ResponseTypes,
ScopeMapping, ScopeMapping,
@ -187,40 +189,39 @@ class OAuthAuthorizationParams:
def check_redirect_uri(self): def check_redirect_uri(self):
"""Redirect URI validation.""" """Redirect URI validation."""
allowed_redirect_urls = self.provider.redirect_uris.split() allowed_redirect_urls = self.provider.redirect_uris
if not self.redirect_uri: if not self.redirect_uri:
LOGGER.warning("Missing redirect uri.") LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", allowed_redirect_urls) raise RedirectUriError("", allowed_redirect_urls)
if self.provider.redirect_uris == "": if len(allowed_redirect_urls) < 1:
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri) LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
self.provider.redirect_uris = self.redirect_uri self.provider.redirect_uris = [
RedirectURI(RedirectURIMatchingMode.STRICT, self.redirect_uri)
]
self.provider.save() self.provider.save()
allowed_redirect_urls = self.provider.redirect_uris.split() allowed_redirect_urls = self.provider.redirect_uris
if self.provider.redirect_uris == "*": match_found = False
LOGGER.info("Converting redirect_uris to regex", redirect=self.redirect_uri) for allowed in allowed_redirect_urls:
self.provider.redirect_uris = ".*" if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
self.provider.save() if self.redirect_uri == allowed.url:
allowed_redirect_urls = self.provider.redirect_uris.split() match_found = True
break
try: if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls): try:
LOGGER.warning( if fullmatch(allowed.url, self.redirect_uri):
"Invalid redirect uri (regex comparison)", match_found = True
redirect_uri_given=self.redirect_uri, break
redirect_uri_expected=allowed_redirect_urls, except RegexError as exc:
) LOGGER.warning(
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) "Failed to parse regular expression",
except RegexError as exc: exc=exc,
LOGGER.info("Failed to parse regular expression, checking directly", exc=exc) url=allowed.url,
if not any(x == self.redirect_uri for x in allowed_redirect_urls): provider=self.provider,
LOGGER.warning( )
"Invalid redirect uri (strict comparison)", if not match_found:
redirect_uri_given=self.redirect_uri, raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
redirect_uri_expected=allowed_redirect_urls,
)
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) from None
# Check against forbidden schemes # Check against forbidden schemes
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES: if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)

7
authentik/providers/oauth2/views/device_init.py
View File

@ -5,7 +5,7 @@ from typing import Any
from django.http import HttpRequest, HttpResponse from django.http import HttpRequest, HttpResponse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from rest_framework.exceptions import ValidationError from rest_framework.exceptions import ValidationError
from rest_framework.fields import CharField, IntegerField from rest_framework.fields import CharField
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.brands.models import Brand from authentik.brands.models import Brand
@ -47,6 +47,9 @@ class CodeValidatorView(PolicyAccessView):
self.provider = self.token.provider self.provider = self.token.provider
self.application = self.token.provider.application self.application = self.token.provider.application
def post(self, request: HttpRequest, *args, **kwargs):
return self.get(request, *args, **kwargs)
def get(self, request: HttpRequest, *args, **kwargs): def get(self, request: HttpRequest, *args, **kwargs):
scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider) scope_descriptions = UserInfoView().get_scope_descriptions(self.token.scope, self.provider)
planner = FlowPlanner(self.provider.authorization_flow) planner = FlowPlanner(self.provider.authorization_flow)
@ -122,7 +125,7 @@ class OAuthDeviceCodeChallenge(Challenge):
class OAuthDeviceCodeChallengeResponse(ChallengeResponse): class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
"""Response that includes the user-entered device code""" """Response that includes the user-entered device code"""
code = IntegerField() code = CharField()
component = CharField(default="ak-provider-oauth2-device-code") component = CharField(default="ak-provider-oauth2-device-code")
def validate_code(self, code: int) -> HttpResponse | None: def validate_code(self, code: int) -> HttpResponse | None:

2
authentik/providers/oauth2/views/provider.py
View File

@ -162,5 +162,5 @@ class ProviderInfoView(View):
OAuth2Provider, pk=application.provider_id OAuth2Provider, pk=application.provider_id
) )
response = super().dispatch(request, *args, **kwargs) response = super().dispatch(request, *args, **kwargs)
cors_allow(request, response, *self.provider.redirect_uris.split("\n")) cors_allow(request, response, *[x.url for x in self.provider.redirect_uris])
return response return response

106
authentik/providers/oauth2/views/token.py
View File

@ -58,7 +58,9 @@ from authentik.providers.oauth2.models import (
ClientTypes, ClientTypes,
DeviceToken, DeviceToken,
OAuth2Provider, OAuth2Provider,
RedirectURIMatchingMode,
RefreshToken, RefreshToken,
ScopeMapping,
) )
from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
@ -77,7 +79,7 @@ class TokenParams:
redirect_uri: str redirect_uri: str
grant_type: str grant_type: str
state: str state: str
scope: list[str] scope: set[str]
provider: OAuth2Provider provider: OAuth2Provider
@ -112,11 +114,26 @@ class TokenParams:
redirect_uri=request.POST.get("redirect_uri", ""), redirect_uri=request.POST.get("redirect_uri", ""),
grant_type=request.POST.get("grant_type", ""), grant_type=request.POST.get("grant_type", ""),
state=request.POST.get("state", ""), state=request.POST.get("state", ""),
scope=request.POST.get("scope", "").split(), scope=set(request.POST.get("scope", "").split()),
# PKCE parameter. # PKCE parameter.
code_verifier=request.POST.get("code_verifier"), code_verifier=request.POST.get("code_verifier"),
) )
def __check_scopes(self):
allowed_scope_names = set(
ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
"scope_name", flat=True
)
)
scopes_to_check = self.scope
if not scopes_to_check.issubset(allowed_scope_names):
LOGGER.info(
"Application requested scopes not configured, setting to overlap",
scope_allowed=allowed_scope_names,
scope_given=self.scope,
)
self.scope = self.scope.intersection(allowed_scope_names)
def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs): def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
with start_span( with start_span(
op="authentik.providers.oauth2.token.policy", op="authentik.providers.oauth2.token.policy",
@ -149,7 +166,7 @@ class TokenParams:
client_id=self.provider.client_id, client_id=self.provider.client_id,
) )
raise TokenError("invalid_client") raise TokenError("invalid_client")
self.__check_scopes()
if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
with start_span( with start_span(
op="authentik.providers.oauth2.post.parse.code", op="authentik.providers.oauth2.post.parse.code",
@ -179,42 +196,7 @@ class TokenParams:
LOGGER.warning("Missing authorization code") LOGGER.warning("Missing authorization code")
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
allowed_redirect_urls = self.provider.redirect_uris.split() self.__check_redirect_uri(request)
# At this point, no provider should have a blank redirect_uri, in case they do
# this will check an empty array and raise an error
try:
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
LOGGER.warning(
"Invalid redirect uri (regex comparison)",
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect URI used by provider",
provider=self.provider,
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
).from_http(request)
raise TokenError("invalid_client")
except RegexError as exc:
LOGGER.info("Failed to parse regular expression, checking directly", exc=exc)
if not any(x == self.redirect_uri for x in allowed_redirect_urls):
LOGGER.warning(
"Invalid redirect uri (strict comparison)",
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect_uri configured",
provider=self.provider,
).from_http(request)
raise TokenError("invalid_client") from None
# Check against forbidden schemes
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
raise TokenError("invalid_request")
self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first() self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
if not self.authorization_code: if not self.authorization_code:
@ -254,6 +236,48 @@ class TokenParams:
if not self.authorization_code.code_challenge and self.code_verifier: if not self.authorization_code.code_challenge and self.code_verifier:
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
def __check_redirect_uri(self, request: HttpRequest):
allowed_redirect_urls = self.provider.redirect_uris
# At this point, no provider should have a blank redirect_uri, in case they do
# this will check an empty array and raise an error
match_found = False
for allowed in allowed_redirect_urls:
if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
if self.redirect_uri == allowed.url:
match_found = True
break
if allowed.matching_mode == RedirectURIMatchingMode.REGEX:
try:
if fullmatch(allowed.url, self.redirect_uri):
match_found = True
break
except RegexError as exc:
LOGGER.warning(
"Failed to parse regular expression",
exc=exc,
url=allowed.url,
provider=self.provider,
)
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect_uri configured",
provider=self.provider,
).from_http(request)
if not match_found:
Event.new(
EventAction.CONFIGURATION_ERROR,
message="Invalid redirect URI used by provider",
provider=self.provider,
redirect_uri=self.redirect_uri,
expected=allowed_redirect_urls,
).from_http(request)
raise TokenError("invalid_client")
# Check against forbidden schemes
if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
raise TokenError("invalid_request")
def __post_init_refresh(self, raw_token: str, request: HttpRequest): def __post_init_refresh(self, raw_token: str, request: HttpRequest):
if not raw_token: if not raw_token:
LOGGER.warning("Missing refresh token") LOGGER.warning("Missing refresh token")
@ -497,7 +521,7 @@ class TokenView(View):
response = super().dispatch(request, *args, **kwargs) response = super().dispatch(request, *args, **kwargs)
allowed_origins = [] allowed_origins = []
if self.provider: if self.provider:
allowed_origins = self.provider.redirect_uris.split("\n") allowed_origins = [x.url for x in self.provider.redirect_uris]
cors_allow(self.request, response, *allowed_origins) cors_allow(self.request, response, *allowed_origins)
return response return response
@ -710,7 +734,7 @@ class TokenView(View):
"id_token": access_token.id_token.to_jwt(self.provider), "id_token": access_token.id_token.to_jwt(self.provider),
} }
if SCOPE_OFFLINE_ACCESS in self.params.scope: if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity) refresh_token_expiry = now + timedelta_from_string(self.provider.refresh_token_validity)
refresh_token = RefreshToken( refresh_token = RefreshToken(
user=self.params.device_code.user, user=self.params.device_code.user,

2
authentik/providers/oauth2/views/userinfo.py
View File

@ -108,7 +108,7 @@ class UserInfoView(View):
response = super().dispatch(request, *args, **kwargs) response = super().dispatch(request, *args, **kwargs)
allowed_origins = [] allowed_origins = []
if self.token: if self.token:
allowed_origins = self.token.provider.redirect_uris.split("\n") allowed_origins = [x.url for x in self.token.provider.redirect_uris]
cors_allow(self.request, response, *allowed_origins) cors_allow(self.request, response, *allowed_origins)
return response return response

1
authentik/providers/proxy/api.py
View File

@ -121,7 +121,6 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
"basic_auth_password_attribute": ["iexact"], "basic_auth_password_attribute": ["iexact"],
"basic_auth_user_attribute": ["iexact"], "basic_auth_user_attribute": ["iexact"],
"mode": ["iexact"], "mode": ["iexact"],
"redirect_uris": ["iexact"],
"cookie_domain": ["iexact"], "cookie_domain": ["iexact"],
} }
search_fields = ["name"] search_fields = ["name"]

21
authentik/providers/proxy/models.py
View File

@ -13,7 +13,13 @@ from rest_framework.serializers import Serializer
from authentik.crypto.models import CertificateKeyPair from authentik.crypto.models import CertificateKeyPair
from authentik.lib.models import DomainlessURLValidator from authentik.lib.models import DomainlessURLValidator
from authentik.outposts.models import OutpostModel from authentik.outposts.models import OutpostModel
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
SCOPE_AK_PROXY = "ak_proxy" SCOPE_AK_PROXY = "ak_proxy"
OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback" OUTPOST_CALLBACK_SIGNATURE = "X-authentik-auth-callback"
@ -24,14 +30,15 @@ def get_cookie_secret():
return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32)) return "".join(SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(32))
def _get_callback_url(uri: str) -> str: def _get_callback_url(uri: str) -> list[RedirectURI]:
return "\n".join( return [
[ RedirectURI(
RedirectURIMatchingMode.STRICT,
urljoin(uri, "outpost.goauthentik.io/callback") urljoin(uri, "outpost.goauthentik.io/callback")
+ f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true", + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true",
uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true", ),
] RedirectURI(RedirectURIMatchingMode.STRICT, uri + f"\\?{OUTPOST_CALLBACK_SIGNATURE}=true"),
) ]
class ProxyMode(models.TextChoices): class ProxyMode(models.TextChoices):

2
authentik/providers/scim/clients/schema.py
View File

@ -19,6 +19,7 @@ SCIM_GROUP_SCHEMA = "urn:ietf:params:scim:schemas:core:2.0:Group"
class User(BaseUser): class User(BaseUser):
"""Modified User schema with added externalId field""" """Modified User schema with added externalId field"""
id: str | int | None = None
schemas: list[str] = [SCIM_USER_SCHEMA] schemas: list[str] = [SCIM_USER_SCHEMA]
externalId: str | None = None externalId: str | None = None
meta: dict | None = None meta: dict | None = None
@ -27,6 +28,7 @@ class User(BaseUser):
class Group(BaseGroup): class Group(BaseGroup):
"""Modified Group schema with added externalId field""" """Modified Group schema with added externalId field"""
id: str | int | None = None
schemas: list[str] = [SCIM_GROUP_SCHEMA] schemas: list[str] = [SCIM_GROUP_SCHEMA]
externalId: str | None = None externalId: str | None = None
meta: dict | None = None meta: dict | None = None

2
authentik/rbac/api/rbac_roles.py
View File

@ -53,7 +53,7 @@ class ExtraRoleObjectPermissionSerializer(RoleObjectPermissionSerializer):
except LookupError: except LookupError:
return None return None
objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class) objects = get_objects_for_group(instance.group, f"{app_label}.view_{model}", model_class)
obj = objects.first() obj = objects.filter(pk=instance.object_pk).first()
if not obj: if not obj:
return None return None
return str(obj) return str(obj)

2
authentik/rbac/api/rbac_users.py
View File

@ -53,7 +53,7 @@ class ExtraUserObjectPermissionSerializer(UserObjectPermissionSerializer):
except LookupError: except LookupError:
return None return None
objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class) objects = get_objects_for_user(instance.user, f"{app_label}.view_{model}", model_class)
obj = objects.first() obj = objects.filter(pk=instance.object_pk).first()
if not obj: if not obj:
return None return None
return str(obj) return str(obj)

21
authentik/root/monitoring.py
View File

@ -1,6 +1,8 @@
"""Metrics view""" """Metrics view"""
from base64 import b64encode from hmac import compare_digest
from pathlib import Path
from tempfile import gettempdir
from django.conf import settings from django.conf import settings
from django.db import connections from django.db import connections
@ -16,22 +18,21 @@ monitoring_set = Signal()
class MetricsView(View): class MetricsView(View):
"""Wrapper around ExportToDjangoView, using http-basic auth""" """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router"""
def __init__(self, **kwargs):
_tmp = Path(gettempdir())
with open(_tmp / "authentik-core-metrics.key") as _f:
self.monitoring_key = _f.read()
def get(self, request: HttpRequest) -> HttpResponse: def get(self, request: HttpRequest) -> HttpResponse:
"""Check for HTTP-Basic auth""" """Check for HTTP-Basic auth"""
auth_header = request.META.get("HTTP_AUTHORIZATION", "") auth_header = request.META.get("HTTP_AUTHORIZATION", "")
auth_type, _, given_credentials = auth_header.partition(" ") auth_type, _, given_credentials = auth_header.partition(" ")
credentials = f"monitor:{settings.SECRET_KEY}" authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key)
expected = b64encode(str.encode(credentials)).decode()
authed = auth_type == "Basic" and given_credentials == expected
if not authed and not settings.DEBUG: if not authed and not settings.DEBUG:
response = HttpResponse(status=401) return HttpResponse(status=401)
response["WWW-Authenticate"] = 'Basic realm="authentik-monitoring"'
return response
monitoring_set.send_robust(self) monitoring_set.send_robust(self)
return ExportToDjangoView(request) return ExportToDjangoView(request)

18
authentik/root/tests.py
View File

@ -1,8 +1,9 @@
"""root tests""" """root tests"""
from base64 import b64encode from pathlib import Path
from secrets import token_urlsafe
from tempfile import gettempdir
from django.conf import settings
from django.test import TestCase from django.test import TestCase
from django.urls import reverse from django.urls import reverse
@ -10,6 +11,16 @@ from django.urls import reverse
class TestRoot(TestCase): class TestRoot(TestCase):
"""Test root application""" """Test root application"""
def setUp(self):
_tmp = Path(gettempdir())
self.token = token_urlsafe(32)
with open(_tmp / "authentik-core-metrics.key", "w") as _f:
_f.write(self.token)
def tearDown(self):
_tmp = Path(gettempdir())
(_tmp / "authentik-core-metrics.key").unlink()
def test_monitoring_error(self): def test_monitoring_error(self):
"""Test monitoring without any credentials""" """Test monitoring without any credentials"""
response = self.client.get(reverse("metrics")) response = self.client.get(reverse("metrics"))
@ -17,8 +28,7 @@ class TestRoot(TestCase):
def test_monitoring_ok(self): def test_monitoring_ok(self):
"""Test monitoring with credentials""" """Test monitoring with credentials"""
creds = "Basic " + b64encode(f"monitor:{settings.SECRET_KEY}".encode()).decode("utf-8") auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"}
auth_headers = {"HTTP_AUTHORIZATION": creds}
response = self.client.get(reverse("metrics"), **auth_headers) response = self.client.get(reverse("metrics"), **auth_headers)
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)

1
authentik/stages/captcha/api.py
View File

@ -17,6 +17,7 @@ class CaptchaStageSerializer(StageSerializer):
"private_key", "private_key",
"js_url", "js_url",
"api_url", "api_url",
"interactive",
"score_min_threshold", "score_min_threshold",
"score_max_threshold", "score_max_threshold",
"error_on_invalid_score", "error_on_invalid_score",

18
authentik/stages/captcha/migrations/0004_captchastage_interactive.py Normal file
View File

@ -0,0 +1,18 @@
# Generated by Django 5.0.9 on 2024-10-30 14:28
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_stages_captcha", "0003_captchastage_error_on_invalid_score_and_more"),
]
operations = [
migrations.AddField(
model_name="captchastage",
name="interactive",
field=models.BooleanField(default=False),
),
]

4
authentik/stages/captcha/models.py
View File

@ -9,11 +9,13 @@ from authentik.flows.models import Stage
class CaptchaStage(Stage): class CaptchaStage(Stage):
"""Verify the user is human using Google's reCaptcha.""" """Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions."""
public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider.")) public_key = models.TextField(help_text=_("Public key, acquired your captcha Provider."))
private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider.")) private_key = models.TextField(help_text=_("Private key, acquired your captcha Provider."))
interactive = models.BooleanField(default=False)
score_min_threshold = models.FloatField(default=0.5) # Default values for reCaptcha score_min_threshold = models.FloatField(default=0.5) # Default values for reCaptcha
score_max_threshold = models.FloatField(default=1.0) # Default values for reCaptcha score_max_threshold = models.FloatField(default=1.0) # Default values for reCaptcha

9
authentik/stages/captcha/stage.py
View File

@ -3,7 +3,7 @@
from django.http.response import HttpResponse from django.http.response import HttpResponse
from django.utils.translation import gettext as _ from django.utils.translation import gettext as _
from requests import RequestException from requests import RequestException
from rest_framework.fields import CharField from rest_framework.fields import BooleanField, CharField
from rest_framework.serializers import ValidationError from rest_framework.serializers import ValidationError
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
@ -24,10 +24,12 @@ PLAN_CONTEXT_CAPTCHA = "captcha"
class CaptchaChallenge(WithUserInfoChallenge): class CaptchaChallenge(WithUserInfoChallenge):
"""Site public key""" """Site public key"""
site_key = CharField()
js_url = CharField()
component = CharField(default="ak-stage-captcha") component = CharField(default="ak-stage-captcha")
site_key = CharField(required=True)
js_url = CharField(required=True)
interactive = BooleanField(required=True)
def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str): def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str):
"""Validate captcha token""" """Validate captcha token"""
@ -103,6 +105,7 @@ class CaptchaStageView(ChallengeStageView):
data={ data={
"js_url": self.executor.current_stage.js_url, "js_url": self.executor.current_stage.js_url,
"site_key": self.executor.current_stage.public_key, "site_key": self.executor.current_stage.public_key,
"interactive": self.executor.current_stage.interactive,
} }
) )

1
authentik/stages/identification/stage.py
View File

@ -223,6 +223,7 @@ class IdentificationStageView(ChallengeStageView):
{ {
"js_url": current_stage.captcha_stage.js_url, "js_url": current_stage.captcha_stage.js_url,
"site_key": current_stage.captcha_stage.public_key, "site_key": current_stage.captcha_stage.public_key,
"interactive": current_stage.captcha_stage.interactive,
} }
if current_stage.captcha_stage if current_stage.captcha_stage
else None else None

8
authentik/stages/password/stage.py
View File

@ -21,7 +21,7 @@ from authentik.flows.challenge import (
WithUserInfoChallenge, WithUserInfoChallenge,
) )
from authentik.flows.exceptions import StageInvalidException from authentik.flows.exceptions import StageInvalidException
from authentik.flows.models import Flow, FlowDesignation, Stage from authentik.flows.models import Flow, Stage
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
from authentik.flows.stage import ChallengeStageView from authentik.flows.stage import ChallengeStageView
from authentik.lib.utils.reflection import path_to_class from authentik.lib.utils.reflection import path_to_class
@ -141,11 +141,11 @@ class PasswordStageView(ChallengeStageView):
"allow_show_password": self.executor.current_stage.allow_show_password, "allow_show_password": self.executor.current_stage.allow_show_password,
} }
) )
recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY) recovery_flow: Flow | None = self.request.brand.flow_recovery
if recovery_flow.exists(): if recovery_flow:
recover_url = reverse( recover_url = reverse(
"authentik_core:if-flow", "authentik_core:if-flow",
kwargs={"flow_slug": recovery_flow.first().slug}, kwargs={"flow_slug": recovery_flow.slug},
) )
challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url) challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
return challenge return challenge

5
authentik/stages/password/tests.py
View File

@ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.urls import reverse from django.urls import reverse
from authentik.core.tests.utils import create_test_admin_user, create_test_flow from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
from authentik.flows.markers import StageMarker from authentik.flows.markers import StageMarker
from authentik.flows.models import FlowDesignation, FlowStageBinding from authentik.flows.models import FlowDesignation, FlowStageBinding
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@ -57,6 +57,9 @@ class TestPasswordStage(FlowTestCase):
def test_recovery_flow_link(self): def test_recovery_flow_link(self):
"""Test link to the default recovery flow""" """Test link to the default recovery flow"""
flow = create_test_flow(designation=FlowDesignation.RECOVERY) flow = create_test_flow(designation=FlowDesignation.RECOVERY)
brand = create_test_brand()
brand.flow_recovery = flow
brand.save()
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
session = self.client.session session = self.client.session

1
blueprints/default/flow-oobe.yaml
View File

@ -101,7 +101,6 @@ entries:
- !KeyOf prompt-field-email - !KeyOf prompt-field-email
- !KeyOf prompt-field-password - !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat - !KeyOf prompt-field-password-repeat
validation_policies: []
id: stage-default-oobe-password id: stage-default-oobe-password
identifiers: identifiers:
name: stage-default-oobe-password name: stage-default-oobe-password

13
blueprints/default/flow-password-change.yaml
View File

@ -2,6 +2,17 @@ version: 1
metadata: metadata:
name: Default - Password change flow name: Default - Password change flow
entries: entries:
- attrs:
check_static_rules: true
check_zxcvbn: true
length_min: 8
password_field: password
zxcvbn_score_threshold: 2
error_message: Password needs to be 8 characters or longer.
identifiers:
name: default-password-change-password-policy
model: authentik_policies_password.passwordpolicy
id: default-password-change-password-policy
- attrs: - attrs:
designation: stage_configuration designation: stage_configuration
name: Change Password name: Change Password
@ -39,6 +50,8 @@ entries:
fields: fields:
- !KeyOf prompt-field-password - !KeyOf prompt-field-password
- !KeyOf prompt-field-password-repeat - !KeyOf prompt-field-password-repeat
validation_policies:
- !KeyOf default-password-change-password-policy
identifiers: identifiers:
name: default-password-change-prompt name: default-password-change-prompt
id: default-password-change-prompt id: default-password-change-prompt

41
blueprints/schema.json
View File

@ -2,7 +2,7 @@
"$schema": "http://json-schema.org/draft-07/schema", "$schema": "http://json-schema.org/draft-07/schema",
"$id": "https://goauthentik.io/blueprints/schema.json", "$id": "https://goauthentik.io/blueprints/schema.json",
"type": "object", "type": "object",
"title": "authentik 2024.8.3 Blueprint schema", "title": "authentik 2024.10.3 Blueprint schema",
"required": [ "required": [
"version", "version",
"entries" "entries"
@ -5570,9 +5570,30 @@
"description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs." "description": "Key used to encrypt the tokens. When set, tokens will be encrypted and returned as JWEs."
}, },
"redirect_uris": { "redirect_uris": {
"type": "string", "type": "array",
"title": "Redirect URIs", "items": {
"description": "Enter each URI on a new line." "type": "object",
"properties": {
"matching_mode": {
"type": "string",
"enum": [
"strict",
"regex"
],
"title": "Matching mode"
},
"url": {
"type": "string",
"minLength": 1,
"title": "Url"
}
},
"required": [
"matching_mode",
"url"
]
},
"title": "Redirect uris"
}, },
"sub_mode": { "sub_mode": {
"type": "string", "type": "string",
@ -6974,7 +6995,7 @@
"spnego_server_name": { "spnego_server_name": {
"type": "string", "type": "string",
"title": "Spnego server name", "title": "Spnego server name",
"description": "Force the use of a specific server name for SPNEGO" "description": "Force the use of a specific server name for SPNEGO. Must be in the form HTTP@hostname"
}, },
"spnego_keytab": { "spnego_keytab": {
"type": "string", "type": "string",
@ -9781,6 +9802,10 @@
"minLength": 1, "minLength": 1,
"title": "Api url" "title": "Api url"
}, },
"interactive": {
"type": "boolean",
"title": "Interactive"
},
"score_min_threshold": { "score_min_threshold": {
"type": "number", "type": "number",
"title": "Score min threshold" "title": "Score min threshold"
@ -13383,12 +13408,6 @@
"title": "Authorization flow", "title": "Authorization flow",
"description": "Flow used when authorizing this provider." "description": "Flow used when authorizing this provider."
}, },
"invalidation_flow": {
"type": "string",
"format": "uuid",
"title": "Invalidation flow",
"description": "Flow used ending the session from a provider."
},
"property_mappings": { "property_mappings": {
"type": "array", "type": "array",
"items": { "items": {

2
blueprints/system/sources-kerberos.yaml
View File

@ -38,7 +38,7 @@ entries:
name: "authentik default Kerberos User Mapping: Ignore system principals" name: "authentik default Kerberos User Mapping: Ignore system principals"
expression: | expression: |
localpart, realm = principal.rsplit("@", 1) localpart, realm = principal.rsplit("@", 1)
denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"] denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"]
for prefix in denied_prefixes: for prefix in denied_prefixes:
if localpart.lower().startswith(prefix.lower()): if localpart.lower().startswith(prefix.lower()):
raise SkipObject raise SkipObject

4
docker-compose.yml
View File

@ -31,7 +31,7 @@ services:
volumes: volumes:
- redis:/data - redis:/data
server: server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3} image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.3}
restart: unless-stopped restart: unless-stopped
command: server command: server
environment: environment:
@ -52,7 +52,7 @@ services:
- postgresql - postgresql
- redis - redis
worker: worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3} image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.3}
restart: unless-stopped restart: unless-stopped
command: worker command: worker
environment: environment:

2
internal/constants/constants.go
View File

@ -29,4 +29,4 @@ func UserAgent() string {
return fmt.Sprintf("authentik@%s", FullVersion()) return fmt.Sprintf("authentik@%s", FullVersion())
} }
const VERSION = "2024.8.3" const VERSION = "2024.10.3"

2
internal/outpost/ldap/ldap.go
View File

@ -65,7 +65,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)") ls.log.WithField("listen", listen).WithError(err).Warning("Failed to listen (SSL)")
return err return err
} }
proxyListener := &proxyproto.Listener{Listener: ln} proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close() defer proxyListener.Close()
ls.log.WithField("listen", listen).Info("Starting LDAP server") ls.log.WithField("listen", listen).Info("Starting LDAP server")

2
internal/outpost/ldap/ldap_tls.go
View File

@ -48,7 +48,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
return err return err
} }
proxyListener := &proxyproto.Listener{Listener: ln} proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close() defer proxyListener.Close()
tln := tls.NewListener(proxyListener, tlsConfig) tln := tls.NewListener(proxyListener, tlsConfig)

11
internal/outpost/proxyv2/application/application.go
View File

@ -23,6 +23,7 @@ import (
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"goauthentik.io/api/v3" "goauthentik.io/api/v3"
"goauthentik.io/internal/config"
"goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/ak"
"goauthentik.io/internal/outpost/proxyv2/constants" "goauthentik.io/internal/outpost/proxyv2/constants"
"goauthentik.io/internal/outpost/proxyv2/hs256" "goauthentik.io/internal/outpost/proxyv2/hs256"
@ -121,6 +122,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
bs := string(h.Sum([]byte(*p.ClientId))) bs := string(h.Sum([]byte(*p.ClientId)))
sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8]) sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])
// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
// otherwise we use the internally configured authentik_host
tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string)
if config.Get().AuthentikHostBrowser != "" {
tokenEndpointHost = config.Get().AuthentikHostBrowser
}
publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost)
a := &Application{ a := &Application{
Host: externalHost.Host, Host: externalHost.Host,
log: muxLogger, log: muxLogger,
@ -131,7 +140,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
tokenVerifier: verifier, tokenVerifier: verifier,
proxyConfig: p, proxyConfig: p,
httpClient: c, httpClient: c,
publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)), publicHostHTTPClient: publicHTTPClient,
mux: mux, mux: mux,
errorTemplates: templates.GetTemplates(), errorTemplates: templates.GetTemplates(),
ak: server.API(), ak: server.API(),

4
internal/outpost/proxyv2/proxyv2.go
View File

@ -129,7 +129,7 @@ func (ps *ProxyServer) ServeHTTP() {
ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen") ps.log.WithField("listen", listenAddress).WithError(err).Warning("Failed to listen")
return return
} }
proxyListener := &proxyproto.Listener{Listener: listener} proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close() defer proxyListener.Close()
ps.log.WithField("listen", listenAddress).Info("Starting HTTP server") ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
@ -148,7 +148,7 @@ func (ps *ProxyServer) ServeHTTPS() {
ps.log.WithError(err).Warning("Failed to listen (TLS)") ps.log.WithError(err).Warning("Failed to listen (TLS)")
return return
} }
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}} proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close() defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig) tlsListener := tls.NewListener(proxyListener, tlsConfig)

34
internal/utils/proxy.go Normal file
View File

@ -0,0 +1,34 @@
package utils
import (
"net"
"github.com/pires/go-proxyproto"
log "github.com/sirupsen/logrus"
"goauthentik.io/internal/config"
)
func GetProxyConnectionPolicy() proxyproto.ConnPolicyFunc {
nets := []*net.IPNet{}
for _, rn := range config.Get().Listen.TrustedProxyCIDRs {
_, cidr, err := net.ParseCIDR(rn)
if err != nil {
continue
}
nets = append(nets, cidr)
}
return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
host, _, err := net.SplitHostPort(connPolicyOptions.Upstream.String())
if err == nil {
// remoteAddr will be nil if the IP cannot be parsed
remoteAddr := net.ParseIP(host)
for _, allowedCidr := range nets {
if remoteAddr != nil && allowedCidr.Contains(remoteAddr) {
log.WithField("remoteAddr", remoteAddr).WithField("cidr", allowedCidr.String()).Trace("Using remote IP from proxy protocol")
return proxyproto.USE, nil
}
}
}
return proxyproto.SKIP, nil
}
}

6
internal/utils/web/http_host_interceptor.go
View File

@ -14,8 +14,10 @@ type hostInterceptor struct {
} }
func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) { func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) {
r.Host = t.host if r.Host != t.host {
r.Header.Set("X-Forwarded-Proto", t.scheme) r.Host = t.host
r.Header.Set("X-Forwarded-Proto", t.scheme)
}
return t.inner.RoundTrip(r) return t.inner.RoundTrip(r)
} }

25
internal/web/metrics.go
View File

@ -1,11 +1,15 @@
package web package web
import ( import (
"encoding/base64"
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
"os"
"path"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/gorilla/securecookie"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promauto" "github.com/prometheus/client_golang/prometheus/promauto"
"github.com/prometheus/client_golang/prometheus/promhttp" "github.com/prometheus/client_golang/prometheus/promhttp"
@ -14,14 +18,25 @@ import (
"goauthentik.io/internal/utils/sentry" "goauthentik.io/internal/utils/sentry"
) )
const MetricsKeyFile = "authentik-core-metrics.key"
var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{ var Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
Name: "authentik_main_request_duration_seconds", Name: "authentik_main_request_duration_seconds",
Help: "API request latencies in seconds", Help: "API request latencies in seconds",
}, []string{"dest"}) }, []string{"dest"})
func (ws *WebServer) runMetricsServer() { func (ws *WebServer) runMetricsServer() {
m := mux.NewRouter()
l := log.WithField("logger", "authentik.router.metrics") l := log.WithField("logger", "authentik.router.metrics")
tmp := os.TempDir()
key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64))
keyPath := path.Join(tmp, MetricsKeyFile)
err := os.WriteFile(keyPath, []byte(key), 0o600)
if err != nil {
l.WithError(err).Warning("failed to save metrics key")
return
}
m := mux.NewRouter()
m.Use(sentry.SentryNoSampleMiddleware) m.Use(sentry.SentryNoSampleMiddleware)
m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { m.Path("/metrics").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
promhttp.InstrumentMetricHandler( promhttp.InstrumentMetricHandler(
@ -36,7 +51,7 @@ func (ws *WebServer) runMetricsServer() {
l.WithError(err).Warning("failed to get upstream metrics") l.WithError(err).Warning("failed to get upstream metrics")
return return
} }
re.SetBasicAuth("monitor", config.Get().SecretKey) re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", key))
res, err := ws.upstreamHttpClient().Do(re) res, err := ws.upstreamHttpClient().Do(re)
if err != nil { if err != nil {
l.WithError(err).Warning("failed to get upstream metrics") l.WithError(err).Warning("failed to get upstream metrics")
@ -49,9 +64,13 @@ func (ws *WebServer) runMetricsServer() {
} }
}) })
l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server") l.WithField("listen", config.Get().Listen.Metrics).Info("Starting Metrics server")
err := http.ListenAndServe(config.Get().Listen.Metrics, m) err = http.ListenAndServe(config.Get().Listen.Metrics, m)
if err != nil { if err != nil {
l.WithError(err).Warning("Failed to start metrics server") l.WithError(err).Warning("Failed to start metrics server")
} }
l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server") l.WithField("listen", config.Get().Listen.Metrics).Info("Stopping Metrics server")
err = os.Remove(keyPath)
if err != nil {
l.WithError(err).Warning("failed to remove metrics key file")
}
} }

7
internal/web/static.go
View File

@ -42,8 +42,11 @@ func (ws *WebServer) configureStatic() {
// Media files, if backend is file // Media files, if backend is file
if config.Get().Storage.Media.Backend == "file" { if config.Get().Storage.Media.Backend == "file" {
fsMedia := http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)) fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
staticRouter.PathPrefix("/media/").Handler(http.StripPrefix("/media", fsMedia)) staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
fsMedia.ServeHTTP(w, r)
})
} }
staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/")))) staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))

5
internal/web/web.go
View File

@ -19,6 +19,7 @@ import (
"goauthentik.io/internal/config" "goauthentik.io/internal/config"
"goauthentik.io/internal/gounicorn" "goauthentik.io/internal/gounicorn"
"goauthentik.io/internal/outpost/proxyv2" "goauthentik.io/internal/outpost/proxyv2"
"goauthentik.io/internal/utils"
"goauthentik.io/internal/utils/web" "goauthentik.io/internal/utils/web"
"goauthentik.io/internal/web/brand_tls" "goauthentik.io/internal/web/brand_tls"
) )
@ -52,7 +53,7 @@ func NewWebServer() *WebServer {
loggingHandler.Use(web.NewLoggingHandler(l, nil)) loggingHandler.Use(web.NewLoggingHandler(l, nil))
tmp := os.TempDir() tmp := os.TempDir()
socketPath := path.Join(tmp, "authentik-core.sock") socketPath := path.Join(tmp, UnixSocketName)
// create http client to talk to backend, normal client if we're in debug more // create http client to talk to backend, normal client if we're in debug more
// and a client that connects to our socket when in non debug mode // and a client that connects to our socket when in non debug mode
@ -149,7 +150,7 @@ func (ws *WebServer) listenPlain() {
ws.log.WithError(err).Warning("failed to listen") ws.log.WithError(err).Warning("failed to listen")
return return
} }
proxyListener := &proxyproto.Listener{Listener: ln} proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close() defer proxyListener.Close()
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server") ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")

2
internal/web/tls.go → internal/web/web_tls.go
View File

@ -45,7 +45,7 @@ func (ws *WebServer) listenTLS() {
ws.log.WithError(err).Warning("failed to listen (TLS)") ws.log.WithError(err).Warning("failed to listen (TLS)")
return return
} }
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}} proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close() defer proxyListener.Close()
tlsListener := tls.NewListener(proxyListener, tlsConfig) tlsListener := tls.NewListener(proxyListener, tlsConfig)

4
lifecycle/ak
View File

@ -54,7 +54,9 @@ function cleanup {
} }
function prepare_debug { function prepare_debug {
apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction
touch /unittest.xml touch /unittest.xml
chown authentik:authentik /unittest.xml chown authentik:authentik /unittest.xml

2
package.json
View File

@ -1,5 +1,5 @@
{ {
"name": "@goauthentik/authentik", "name": "@goauthentik/authentik",
"version": "2024.8.3", "version": "2024.10.3",
"private": true "private": true
} }

2
pyproject.toml
View File

@ -1,6 +1,6 @@
[tool.poetry] [tool.poetry]
name = "authentik" name = "authentik"
version = "2024.8.3" version = "2024.10.3"
description = "" description = ""
authors = ["authentik Team <hello@goauthentik.io>"] authors = ["authentik Team <hello@goauthentik.io>"]

90
schema.yml
View File

@ -1,7 +1,7 @@
openapi: 3.0.3 openapi: 3.0.3
info: info:
title: authentik title: authentik
version: 2024.8.3 version: 2024.10.3
description: Making authentication simple. description: Making authentication simple.
contact: contact:
email: hello@goauthentik.io email: hello@goauthentik.io
@ -20218,10 +20218,6 @@ paths:
format: uuid format: uuid
explode: true explode: true
style: form style: form
- in: query
name: redirect_uris
schema:
type: string
- in: query - in: query
name: refresh_token_validity name: refresh_token_validity
schema: schema:
@ -20637,10 +20633,6 @@ paths:
format: uuid format: uuid
explode: true explode: true
style: form style: form
- in: query
name: redirect_uris__iexact
schema:
type: string
- name: search - name: search
required: false required: false
in: query in: query
@ -39220,7 +39212,10 @@ components:
type: string type: string
js_url: js_url:
type: string type: string
interactive:
type: boolean
required: required:
- interactive
- js_url - js_url
- pending_user - pending_user
- pending_user_avatar - pending_user_avatar
@ -39276,6 +39271,8 @@ components:
type: string type: string
api_url: api_url:
type: string type: string
interactive:
type: boolean
score_min_threshold: score_min_threshold:
type: number type: number
format: double format: double
@ -39322,6 +39319,8 @@ components:
api_url: api_url:
type: string type: string
minLength: 1 minLength: 1
interactive:
type: boolean
score_min_threshold: score_min_threshold:
type: number type: number
format: double format: double
@ -42975,7 +42974,8 @@ components:
readOnly: true readOnly: true
spnego_server_name: spnego_server_name:
type: string type: string
description: Force the use of a specific server name for SPNEGO description: Force the use of a specific server name for SPNEGO. Must be
in the form HTTP@hostname
spnego_ccache: spnego_ccache:
type: string type: string
description: Credential cache to use for SPNEGO in form type:residual description: Credential cache to use for SPNEGO in form type:residual
@ -43144,7 +43144,8 @@ components:
be in the form TYPE:residual be in the form TYPE:residual
spnego_server_name: spnego_server_name:
type: string type: string
description: Force the use of a specific server name for SPNEGO description: Force the use of a specific server name for SPNEGO. Must be
in the form HTTP@hostname
spnego_keytab: spnego_keytab:
type: string type: string
writeOnly: true writeOnly: true
@ -44051,6 +44052,11 @@ components:
required: required:
- challenge - challenge
- name - name
MatchingModeEnum:
enum:
- strict
- regex
type: string
Metadata: Metadata:
type: object type: object
description: Serializer for blueprint metadata description: Serializer for blueprint metadata
@ -44753,8 +44759,9 @@ components:
description: Key used to encrypt the tokens. When set, tokens will be encrypted description: Key used to encrypt the tokens. When set, tokens will be encrypted
and returned as JWEs. and returned as JWEs.
redirect_uris: redirect_uris:
type: string type: array
description: Enter each URI on a new line. items:
$ref: '#/components/schemas/RedirectURI'
sub_mode: sub_mode:
allOf: allOf:
- $ref: '#/components/schemas/SubModeEnum' - $ref: '#/components/schemas/SubModeEnum'
@ -44783,6 +44790,7 @@ components:
- meta_model_name - meta_model_name
- name - name
- pk - pk
- redirect_uris
- verbose_name - verbose_name
- verbose_name_plural - verbose_name_plural
OAuth2ProviderRequest: OAuth2ProviderRequest:
@ -44854,8 +44862,9 @@ components:
description: Key used to encrypt the tokens. When set, tokens will be encrypted description: Key used to encrypt the tokens. When set, tokens will be encrypted
and returned as JWEs. and returned as JWEs.
redirect_uris: redirect_uris:
type: string type: array
description: Enter each URI on a new line. items:
$ref: '#/components/schemas/RedirectURIRequest'
sub_mode: sub_mode:
allOf: allOf:
- $ref: '#/components/schemas/SubModeEnum' - $ref: '#/components/schemas/SubModeEnum'
@ -44877,6 +44886,7 @@ components:
- authorization_flow - authorization_flow
- invalidation_flow - invalidation_flow
- name - name
- redirect_uris
OAuth2ProviderSetupURLs: OAuth2ProviderSetupURLs:
type: object type: object
description: OAuth2 Provider Metadata serializer description: OAuth2 Provider Metadata serializer
@ -44934,7 +44944,8 @@ components:
minLength: 1 minLength: 1
default: ak-provider-oauth2-device-code default: ak-provider-oauth2-device-code
code: code:
type: integer type: string
minLength: 1
required: required:
- code - code
OAuthDeviceCodeFinishChallenge: OAuthDeviceCodeFinishChallenge:
@ -47730,6 +47741,8 @@ components:
api_url: api_url:
type: string type: string
minLength: 1 minLength: 1
interactive:
type: boolean
score_min_threshold: score_min_threshold:
type: number type: number
format: double format: double
@ -48448,7 +48461,8 @@ components:
be in the form TYPE:residual be in the form TYPE:residual
spnego_server_name: spnego_server_name:
type: string type: string
description: Force the use of a specific server name for SPNEGO description: Force the use of a specific server name for SPNEGO. Must be
in the form HTTP@hostname
spnego_keytab: spnego_keytab:
type: string type: string
writeOnly: true writeOnly: true
@ -48871,8 +48885,9 @@ components:
description: Key used to encrypt the tokens. When set, tokens will be encrypted description: Key used to encrypt the tokens. When set, tokens will be encrypted
and returned as JWEs. and returned as JWEs.
redirect_uris: redirect_uris:
type: string type: array
description: Enter each URI on a new line. items:
$ref: '#/components/schemas/RedirectURIRequest'
sub_mode: sub_mode:
allOf: allOf:
- $ref: '#/components/schemas/SubModeEnum' - $ref: '#/components/schemas/SubModeEnum'
@ -49461,10 +49476,6 @@ components:
type: string type: string
format: uuid format: uuid
description: Flow used when authorizing this provider. description: Flow used when authorizing this provider.
invalidation_flow:
type: string
format: uuid
description: Flow used ending the session from a provider.
property_mappings: property_mappings:
type: array type: array
items: items:
@ -51696,10 +51707,6 @@ components:
type: string type: string
format: uuid format: uuid
description: Flow used when authorizing this provider. description: Flow used when authorizing this provider.
invalidation_flow:
type: string
format: uuid
description: Flow used ending the session from a provider.
property_mappings: property_mappings:
type: array type: array
items: items:
@ -51757,7 +51764,6 @@ components:
- assigned_backchannel_application_slug - assigned_backchannel_application_slug
- authorization_flow - authorization_flow
- component - component
- invalidation_flow
- meta_model_name - meta_model_name
- name - name
- outpost_set - outpost_set
@ -51781,10 +51787,6 @@ components:
type: string type: string
format: uuid format: uuid
description: Flow used when authorizing this provider. description: Flow used when authorizing this provider.
invalidation_flow:
type: string
format: uuid
description: Flow used ending the session from a provider.
property_mappings: property_mappings:
type: array type: array
items: items:
@ -51801,7 +51803,6 @@ components:
description: When set to true, connection tokens will be deleted upon disconnect. description: When set to true, connection tokens will be deleted upon disconnect.
required: required:
- authorization_flow - authorization_flow
- invalidation_flow
- name - name
RadiusCheckAccess: RadiusCheckAccess:
type: object type: object
@ -52075,6 +52076,29 @@ components:
type: string type: string
required: required:
- to - to
RedirectURI:
type: object
description: A single allowed redirect URI entry
properties:
matching_mode:
$ref: '#/components/schemas/MatchingModeEnum'
url:
type: string
required:
- matching_mode
- url
RedirectURIRequest:
type: object
description: A single allowed redirect URI entry
properties:
matching_mode:
$ref: '#/components/schemas/MatchingModeEnum'
url:
type: string
minLength: 1
required:
- matching_mode
- url
Reputation: Reputation:
type: object type: object
description: Reputation Serializer description: Reputation Serializer

19
tests/e2e/test_provider_oauth2_github.py
View File

@ -12,7 +12,12 @@ from authentik.flows.models import Flow
from authentik.lib.generators import generate_id, generate_key from authentik.lib.generators import generate_id, generate_key
from authentik.policies.expression.models import ExpressionPolicy from authentik.policies.expression.models import ExpressionPolicy
from authentik.policies.models import PolicyBinding from authentik.policies.models import PolicyBinding
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
)
from tests.e2e.utils import SeleniumTestCase, retry from tests.e2e.utils import SeleniumTestCase, retry
@ -73,7 +78,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
client_type=ClientTypes.CONFIDENTIAL, client_type=ClientTypes.CONFIDENTIAL,
redirect_uris="http://localhost:3000/login/github", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
Application.objects.create( Application.objects.create(
@ -128,7 +135,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
client_type=ClientTypes.CONFIDENTIAL, client_type=ClientTypes.CONFIDENTIAL,
redirect_uris="http://localhost:3000/login/github", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
app = Application.objects.create( app = Application.objects.create(
@ -199,7 +208,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
client_type=ClientTypes.CONFIDENTIAL, client_type=ClientTypes.CONFIDENTIAL,
redirect_uris="http://localhost:3000/login/github", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/github")
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
app = Application.objects.create( app = Application.objects.create(

34
tests/e2e/test_provider_oauth2_grafana.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_EMAIL, SCOPE_OPENID_EMAIL,
SCOPE_OPENID_PROFILE, SCOPE_OPENID_PROFILE,
) )
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from tests.e2e.utils import SeleniumTestCase, retry from tests.e2e.utils import SeleniumTestCase, retry
@ -82,7 +88,7 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:3000/")],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -131,7 +137,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth", redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -200,7 +210,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth", redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
invalidation_flow=invalidation_flow, invalidation_flow=invalidation_flow,
) )
@ -275,7 +289,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth", redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(
@ -355,7 +373,11 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:3000/login/generic_oauth", redirect_uris=[
RedirectURI(
RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
)
],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(

22
tests/e2e/test_provider_oidc.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_EMAIL, SCOPE_OPENID_EMAIL,
SCOPE_OPENID_PROFILE, SCOPE_OPENID_PROFILE,
) )
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from tests.e2e.utils import SeleniumTestCase, retry from tests.e2e.utils import SeleniumTestCase, retry
@ -67,7 +73,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -116,7 +122,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/auth/callback", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -188,7 +196,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/auth/callback", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(
@ -259,7 +269,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/auth/callback", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/auth/callback")
],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(

22
tests/e2e/test_provider_oidc_implicit.py
View File

@ -19,7 +19,13 @@ from authentik.providers.oauth2.constants import (
SCOPE_OPENID_EMAIL, SCOPE_OPENID_EMAIL,
SCOPE_OPENID_PROFILE, SCOPE_OPENID_PROFILE,
) )
from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping from authentik.providers.oauth2.models import (
ClientTypes,
OAuth2Provider,
RedirectURI,
RedirectURIMatchingMode,
ScopeMapping,
)
from tests.e2e.utils import SeleniumTestCase, retry from tests.e2e.utils import SeleniumTestCase, retry
@ -68,7 +74,7 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/", redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/")],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -117,7 +123,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/implicit/", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
],
authorization_flow=authorization_flow, authorization_flow=authorization_flow,
) )
provider.property_mappings.set( provider.property_mappings.set(
@ -170,7 +178,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/implicit/", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(
@ -238,7 +248,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
client_id=self.client_id, client_id=self.client_id,
client_secret=self.client_secret, client_secret=self.client_secret,
signing_key=create_test_cert(), signing_key=create_test_cert(),
redirect_uris="http://localhost:9009/implicit/", redirect_uris=[
RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost:9009/implicit/")
],
) )
provider.property_mappings.set( provider.property_mappings.set(
ScopeMapping.objects.filter( ScopeMapping.objects.filter(

20
web/build.mjs
View File

@ -119,13 +119,22 @@ async function buildOneSource(source, dest) {
Date.now() - start Date.now() - start
}ms`, }ms`,
); );
return 0;
} catch (exc) { } catch (exc) {
console.error(`[${new Date(Date.now()).toISOString()}] Failed to build ${source}: ${exc}`); console.error(`[${new Date(Date.now()).toISOString()}] Failed to build ${source}: ${exc}`);
return 1;
} }
} }
async function buildAuthentik(interfaces) { async function buildAuthentik(interfaces) {
await Promise.allSettled(interfaces.map(([source, dest]) => buildOneSource(source, dest))); const code = await Promise.allSettled(
interfaces.map(([source, dest]) => buildOneSource(source, dest)),
);
const finalCode = code.reduce((a, res) => a + res.value, 0);
if (finalCode > 0) {
return 1;
}
return 0;
} }
let timeoutId = null; let timeoutId = null;
@ -163,11 +172,12 @@ if (process.argv.length > 2 && (process.argv[2] === "-w" || process.argv[2] ===
}); });
} else if (process.argv.length > 2 && (process.argv[2] === "-p" || process.argv[2] === "--proxy")) { } else if (process.argv.length > 2 && (process.argv[2] === "-p" || process.argv[2] === "--proxy")) {
// There's no watch-for-proxy, sorry. // There's no watch-for-proxy, sorry.
await buildAuthentik( process.exit(
interfaces.filter(([_, dest]) => ["standalone/loading", "."].includes(dest)), await buildAuthentik(
interfaces.filter(([_, dest]) => ["standalone/loading", "."].includes(dest)),
),
); );
process.exit(0);
} else { } else {
// And the fallback: just build it. // And the fallback: just build it.
await buildAuthentik(interfaces); process.exit(await buildAuthentik(interfaces));
} }

54
web/package-lock.json generated
View File

@ -23,7 +23,7 @@
"@floating-ui/dom": "^1.6.11", "@floating-ui/dom": "^1.6.11",
"@formatjs/intl-listformat": "^7.5.7", "@formatjs/intl-listformat": "^7.5.7",
"@fortawesome/fontawesome-free": "^6.6.0", "@fortawesome/fontawesome-free": "^6.6.0",
"@goauthentik/api": "^2024.8.3-1729836831", "@goauthentik/api": "^2024.10.2-1732196831",
"@lit-labs/ssr": "^3.2.2", "@lit-labs/ssr": "^3.2.2",
"@lit/context": "^1.1.2", "@lit/context": "^1.1.2",
"@lit/localize": "^0.12.2", "@lit/localize": "^0.12.2",
@ -84,7 +84,7 @@
"@wdio/cli": "^9.1.2", "@wdio/cli": "^9.1.2",
"@wdio/spec-reporter": "^9.1.2", "@wdio/spec-reporter": "^9.1.2",
"chokidar": "^4.0.1", "chokidar": "^4.0.1",
"chromedriver": "^129.0.2", "chromedriver": "^130.0.4",
"esbuild": "^0.24.0", "esbuild": "^0.24.0",
"eslint": "^9.11.1", "eslint": "^9.11.1",
"eslint-plugin-lit": "^1.15.0", "eslint-plugin-lit": "^1.15.0",
@ -1775,9 +1775,9 @@
} }
}, },
"node_modules/@goauthentik/api": { "node_modules/@goauthentik/api": {
"version": "2024.8.3-1729836831", "version": "2024.10.2-1732196831",
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.8.3-1729836831.tgz", "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.10.2-1732196831.tgz",
"integrity": "sha512-nOgvjYQiK+HhWuiZ635h/aSsq7Mfj5cDrIyBJt+IJRQuJFtnnHx8nscRXKK/8sBl9obH2zMCoZgeqytK8145bg==" "integrity": "sha512-+JU9XrgCjAp3wPC9elENVGLaUm0V2jPGV1ewhCYQnkKRIFQmJY9t/SIvbM7nPCCXJwgmpPTMaLT5McrE8ybWOg=="
}, },
"node_modules/@goauthentik/web": { "node_modules/@goauthentik/web": {
"resolved": "", "resolved": "",
@ -3517,6 +3517,12 @@
"win32" "win32"
] ]
}, },
"node_modules/@scarf/scarf": {
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/@scarf/scarf/-/scarf-1.4.0.tgz",
"integrity": "sha512-xxeapPiUXdZAE3che6f3xogoJPeZgig6omHEy1rIY5WVsB3H2BHNnZH+gHG6x91SCWyQCzWGsuL2Hh3ClO5/qQ==",
"hasInstallScript": true
},
"node_modules/@sec-ant/readable-stream": { "node_modules/@sec-ant/readable-stream": {
"version": "0.4.1", "version": "0.4.1",
"resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz", "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz",
@ -8693,9 +8699,9 @@
} }
}, },
"node_modules/chromedriver": { "node_modules/chromedriver": {
"version": "129.0.2", "version": "130.0.4",
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-129.0.2.tgz", "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-130.0.4.tgz",
"integrity": "sha512-rUEFCJAmAwOdFfaDFtveT97fFeA7NOxlkgyPyN+G09Ws4qGW39aLDxMQBbS9cxQQHhTihqZZobgF5CLVYXnmGA==", "integrity": "sha512-lpR+PWXszij1k4Ig3t338Zvll9HtCTiwoLM7n4pCCswALHxzmgwaaIFBh3rt9+5wRk9D07oFblrazrBxwaYYAQ==",
"dev": true, "dev": true,
"hasInstallScript": true, "hasInstallScript": true,
"dependencies": { "dependencies": {
@ -9052,9 +9058,10 @@
"dev": true "dev": true
}, },
"node_modules/cookie": { "node_modules/cookie": {
"version": "0.6.0", "version": "0.7.1",
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz",
"integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==",
"dev": true,
"engines": { "engines": {
"node": ">= 0.6" "node": ">= 0.6"
} }
@ -11404,9 +11411,9 @@
} }
}, },
"node_modules/express": { "node_modules/express": {
"version": "4.21.0", "version": "4.21.1",
"resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz", "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
"integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==", "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"accepts": "~1.3.8", "accepts": "~1.3.8",
@ -11414,7 +11421,7 @@
"body-parser": "1.20.3", "body-parser": "1.20.3",
"content-disposition": "0.5.4", "content-disposition": "0.5.4",
"content-type": "~1.0.4", "content-type": "~1.0.4",
"cookie": "0.6.0", "cookie": "0.7.1",
"cookie-signature": "1.0.6", "cookie-signature": "1.0.6",
"debug": "2.6.9", "debug": "2.6.9",
"depd": "2.0.0", "depd": "2.0.0",
@ -19537,17 +19544,18 @@
} }
}, },
"node_modules/swagger-client": { "node_modules/swagger-client": {
"version": "3.29.3", "version": "3.31.0",
"resolved": "https://registry.npmjs.org/swagger-client/-/swagger-client-3.29.3.tgz", "resolved": "https://registry.npmjs.org/swagger-client/-/swagger-client-3.31.0.tgz",
"integrity": "sha512-OhhMAO2dwDEaxtUNDxwaqzw75uiZY5lX/2vx+U6eKCYZYhXWQ5mylU/0qfk/xMR20VyitsnzRc6KcFFjRoCS7A==", "integrity": "sha512-hVYift5XB8nOgNJVl6cbNtVTVPT2Fdx2wCOcIvuAFcyq0Mwe6+70ezoZ5WfiaIAzzwWfq72jyaLeg8TViGNSmw==",
"dependencies": { "dependencies": {
"@babel/runtime-corejs3": "^7.22.15", "@babel/runtime-corejs3": "^7.22.15",
"@scarf/scarf": "=1.4.0",
"@swagger-api/apidom-core": ">=1.0.0-alpha.9 <1.0.0-beta.0", "@swagger-api/apidom-core": ">=1.0.0-alpha.9 <1.0.0-beta.0",
"@swagger-api/apidom-error": ">=1.0.0-alpha.9 <1.0.0-beta.0", "@swagger-api/apidom-error": ">=1.0.0-alpha.9 <1.0.0-beta.0",
"@swagger-api/apidom-json-pointer": ">=1.0.0-alpha.9 <1.0.0-beta.0", "@swagger-api/apidom-json-pointer": ">=1.0.0-alpha.9 <1.0.0-beta.0",
"@swagger-api/apidom-ns-openapi-3-1": ">=1.0.0-alpha.9 <1.0.0-beta.0", "@swagger-api/apidom-ns-openapi-3-1": ">=1.0.0-alpha.9 <1.0.0-beta.0",
"@swagger-api/apidom-reference": ">=1.0.0-alpha.9 <1.0.0-beta.0", "@swagger-api/apidom-reference": ">=1.0.0-alpha.9 <1.0.0-beta.0",
"cookie": "~0.6.0", "cookie": "~0.7.2",
"deepmerge": "~4.3.0", "deepmerge": "~4.3.0",
"fast-json-patch": "^3.0.0-1", "fast-json-patch": "^3.0.0-1",
"js-yaml": "^4.1.0", "js-yaml": "^4.1.0",
@ -19560,6 +19568,14 @@
"ramda-adjunct": "^5.0.0" "ramda-adjunct": "^5.0.0"
} }
}, },
"node_modules/swagger-client/node_modules/cookie": {
"version": "0.7.2",
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
"integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
"engines": {
"node": ">= 0.6"
}
},
"node_modules/syncpack": { "node_modules/syncpack": {
"version": "13.0.0", "version": "13.0.0",
"resolved": "https://registry.npmjs.org/syncpack/-/syncpack-13.0.0.tgz", "resolved": "https://registry.npmjs.org/syncpack/-/syncpack-13.0.0.tgz",

10
web/package.json
View File

@ -11,7 +11,7 @@
"@floating-ui/dom": "^1.6.11", "@floating-ui/dom": "^1.6.11",
"@formatjs/intl-listformat": "^7.5.7", "@formatjs/intl-listformat": "^7.5.7",
"@fortawesome/fontawesome-free": "^6.6.0", "@fortawesome/fontawesome-free": "^6.6.0",
"@goauthentik/api": "^2024.8.3-1729836831", "@goauthentik/api": "^2024.10.2-1732196831",
"@lit-labs/ssr": "^3.2.2", "@lit-labs/ssr": "^3.2.2",
"@lit/context": "^1.1.2", "@lit/context": "^1.1.2",
"@lit/localize": "^0.12.2", "@lit/localize": "^0.12.2",
@ -72,7 +72,7 @@
"@wdio/cli": "^9.1.2", "@wdio/cli": "^9.1.2",
"@wdio/spec-reporter": "^9.1.2", "@wdio/spec-reporter": "^9.1.2",
"chokidar": "^4.0.1", "chokidar": "^4.0.1",
"chromedriver": "^129.0.2", "chromedriver": "^130.0.4",
"esbuild": "^0.24.0", "esbuild": "^0.24.0",
"eslint": "^9.11.1", "eslint": "^9.11.1",
"eslint-plugin-lit": "^1.15.0", "eslint-plugin-lit": "^1.15.0",
@ -328,12 +328,18 @@
}, },
"test:e2e:watch": { "test:e2e:watch": {
"command": "wdio run ./tests/wdio.conf.ts", "command": "wdio run ./tests/wdio.conf.ts",
"dependencies": [
"build"
],
"env": { "env": {
"TS_NODE_PROJECT": "./tests/tsconfig.test.json" "TS_NODE_PROJECT": "./tests/tsconfig.test.json"
} }
}, },
"test:watch": { "test:watch": {
"command": "wdio run ./wdio.conf.ts", "command": "wdio run ./wdio.conf.ts",
"dependencies": [
"build"
],
"env": { "env": {
"TS_NODE_PROJECT": "tsconfig.test.json" "TS_NODE_PROJECT": "tsconfig.test.json"
} }

100
web/src/admin/admin-settings/AdminSettingsFooterLinks.ts Normal file
View File

@ -0,0 +1,100 @@
import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
import { type Spread } from "@goauthentik/elements/types";
import { spread } from "@open-wc/lit-helpers";
import { msg } from "@lit/localize";
import { css, html } from "lit";
import { customElement, property, queryAll } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
import { FooterLink } from "@goauthentik/api";
export interface IFooterLinkInput {
footerLink: FooterLink;
}
const LEGAL_SCHEMES = ["http://", "https://", "mailto:"];
const hasLegalScheme = (url: string) =>
LEGAL_SCHEMES.some((scheme) => url.substr(0, scheme.length).toLowerCase() === scheme);
@customElement("ak-admin-settings-footer-link")
export class FooterLinkInput extends AkControlElement<FooterLink> {
static get styles() {
return [
PFBase,
PFInputGroup,
PFFormControl,
css`
.pf-c-input-group input#linkname {
flex-grow: 1;
width: 8rem;
}
`,
];
}
@property({ type: Object, attribute: false })
footerLink: FooterLink = {
name: "",
href: "",
};
@queryAll(".ak-form-control")
controls?: HTMLInputElement[];
json() {
return Object.fromEntries(
Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
) as unknown as FooterLink;
}
get isValid() {
const href = this.json()?.href ?? "";
return hasLegalScheme(href) && URL.canParse(href);
}
render() {
const onChange = () => {
this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
};
return html` <div class="pf-c-input-group">
<input
type="text"
@change=${onChange}
value=${this.footerLink.name}
id="linkname"
class="pf-c-form-control ak-form-control"
name="name"
placeholder=${msg("Link Title")}
tabindex="1"
/>
<input
type="text"
@change=${onChange}
value="${ifDefined(this.footerLink.href ?? undefined)}"
class="pf-c-form-control ak-form-control"
required
placeholder=${msg("URL")}
name="href"
tabindex="1"
/>
</div>`;
}
}
export function akFooterLinkInput(properties: IFooterLinkInput) {
return html`<ak-admin-settings-footer-link
${spread(properties as unknown as Spread)}
></ak-admin-settings-footer-link>`;
}
declare global {
interface HTMLElementTagNameMap {
"ak-admin-settings-footer-link": FooterLinkInput;
}
}

37
web/src/admin/admin-settings/AdminSettingsForm.ts
View File

@ -3,8 +3,7 @@ import { first } from "@goauthentik/common/utils";
import "@goauthentik/components/ak-number-input"; import "@goauthentik/components/ak-number-input";
import "@goauthentik/components/ak-switch-input"; import "@goauthentik/components/ak-switch-input";
import "@goauthentik/components/ak-text-input"; import "@goauthentik/components/ak-text-input";
import "@goauthentik/elements/CodeMirror"; import "@goauthentik/elements/ak-array-input.js";
import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
import { Form } from "@goauthentik/elements/forms/Form"; import { Form } from "@goauthentik/elements/forms/Form";
import "@goauthentik/elements/forms/FormGroup"; import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement"; import "@goauthentik/elements/forms/HorizontalFormElement";
@ -13,13 +12,16 @@ import "@goauthentik/elements/forms/SearchSelect";
import "@goauthentik/elements/utils/TimeDeltaHelp"; import "@goauthentik/elements/utils/TimeDeltaHelp";
import { msg } from "@lit/localize"; import { msg } from "@lit/localize";
import { CSSResult, TemplateResult, html } from "lit"; import { CSSResult, TemplateResult, css, html } from "lit";
import { customElement, property } from "lit/decorators.js"; import { customElement, property } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js"; import { ifDefined } from "lit/directives/if-defined.js";
import PFList from "@patternfly/patternfly/components/List/list.css"; import PFList from "@patternfly/patternfly/components/List/list.css";
import { AdminApi, Settings, SettingsRequest } from "@goauthentik/api"; import { AdminApi, FooterLink, Settings, SettingsRequest } from "@goauthentik/api";
import "./AdminSettingsFooterLinks.js";
import { IFooterLinkInput, akFooterLinkInput } from "./AdminSettingsFooterLinks.js";
@customElement("ak-admin-settings-form") @customElement("ak-admin-settings-form")
export class AdminSettingsForm extends Form<SettingsRequest> { export class AdminSettingsForm extends Form<SettingsRequest> {
@ -40,7 +42,14 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
private _settings?: Settings; private _settings?: Settings;
static get styles(): CSSResult[] { static get styles(): CSSResult[] {
return super.styles.concat(PFList); return super.styles.concat(
PFList,
css`
ak-array-input {
width: 100%;
}
`,
);
} }
getSuccessMessage(): string { getSuccessMessage(): string {
@ -166,15 +175,21 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
> >
</ak-text-input> </ak-text-input>
<ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks"> <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks">
<ak-codemirror <ak-array-input
mode=${CodeMirrorMode.YAML} .items=${this._settings?.footerLinks ?? []}
.value="${first(this._settings?.footerLinks, [])}" .newItem=${() => ({ name: "", href: "" })}
></ak-codemirror> .row=${(f?: FooterLink) =>
akFooterLinkInput({
".footerLink": f,
"style": "width: 100%",
"name": "footer-link",
} as unknown as IFooterLinkInput)}
>
</ak-array-input>
<p class="pf-c-form__helper-text"> <p class="pf-c-form__helper-text">
${msg( ${msg(
"This option configures the footer links on the flow executor pages. It must be a valid YAML or JSON list and can be used as follows:", "This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.",
)} )}
<code>[{"name": "Link Name","href":"https://goauthentik.io"}]</code>
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-switch-input <ak-switch-input

80
web/src/admin/admin-settings/stories/AdminSettingsFooterLinks.stories.ts Normal file
View File

@ -0,0 +1,80 @@
import "@goauthentik/elements/messages/MessageContainer";
import { Meta, StoryObj, WebComponentsRenderer } from "@storybook/web-components";
import { DecoratorFunction } from "storybook/internal/types";
import { html } from "lit";
import { FooterLinkInput } from "../AdminSettingsFooterLinks.js";
import "../AdminSettingsFooterLinks.js";
// eslint-disable-next-line @typescript-eslint/no-explicit-any
type Decorator = DecoratorFunction<WebComponentsRenderer, any>;
const metadata: Meta<FooterLinkInput> = {
title: "Components / Footer Link Input",
component: "ak-admin-settings-footer-link",
parameters: {
docs: {
description: {
component: "A stylized control for the footer links",
},
},
},
decorators: [
(story: Decorator) => {
window.setTimeout(() => {
const control = document.getElementById("footer-link");
if (!control) {
throw new Error("Test was not initialized correctly.");
}
const messages = document.getElementById("reported-value");
control.addEventListener("change", (event: Event) => {
if (!event.target) {
return;
}
const target = event.target as FooterLinkInput;
messages!.innerText = `${JSON.stringify(target.json(), null, 2)}\n\nValid: ${target.isValid ? "Yes" : "No"}`;
});
}, 250);
return html`<div
style="background: #fff; padding: 2em; position: relative"
id="the-main-event"
>
<style>
li {
display: block;
}
p {
margin-top: 1em;
}
#the-answer-block {
padding-top: 3em;
}
</style>
<div>
${
// @ts-expect-error The types for web components are not well-defined }
story()
}
</div>
<div style="margin-top: 2rem">
<p>Reported value:</p>
<pre id="reported-value"></pre>
</div>
</div>`;
},
],
};
export default metadata;
type Story = StoryObj;
export const Default: Story = {
render: () =>
html` <ak-admin-settings-footer-link
id="footer-link"
name="the-footer"
></ak-admin-settings-footer-link>`,
};

68
web/src/admin/admin-settings/stories/AdminSettingsFooterLinks.test.ts Normal file
View File

@ -0,0 +1,68 @@
import { render } from "@goauthentik/elements/tests/utils.js";
import { $, expect } from "@wdio/globals";
import { html } from "lit";
import "../AdminSettingsFooterLinks.js";
describe("ak-admin-settings-footer-link", () => {
afterEach(async () => {
await browser.execute(async () => {
await document.body.querySelector("ak-admin-settings-footer-link")?.remove();
if (document.body["_$litPart$"]) {
// @ts-expect-error expression of type '"_$litPart$"' is added by Lit
await delete document.body["_$litPart$"];
}
});
});
it("should render an empty control", async () => {
render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
const link = await $("ak-admin-settings-footer-link");
await expect(await link.getProperty("isValid")).toStrictEqual(false);
await expect(await link.getProperty("toJson")).toEqual({ name: "", href: "" });
});
it("should not be valid if just a name is filled in", async () => {
render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
const link = await $("ak-admin-settings-footer-link");
await link.$('input[name="name"]').setValue("foo");
await expect(await link.getProperty("isValid")).toStrictEqual(false);
await expect(await link.getProperty("toJson")).toEqual({ name: "foo", href: "" });
});
it("should be valid if just a URL is filled in", async () => {
render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
const link = await $("ak-admin-settings-footer-link");
await link.$('input[name="href"]').setValue("https://foo.com");
await expect(await link.getProperty("isValid")).toStrictEqual(true);
await expect(await link.getProperty("toJson")).toEqual({
name: "",
href: "https://foo.com",
});
});
it("should be valid if both are filled in", async () => {
render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
const link = await $("ak-admin-settings-footer-link");
await link.$('input[name="name"]').setValue("foo");
await link.$('input[name="href"]').setValue("https://foo.com");
await expect(await link.getProperty("isValid")).toStrictEqual(true);
await expect(await link.getProperty("toJson")).toEqual({
name: "foo",
href: "https://foo.com",
});
});
it("should not be valid if the URL is not valid", async () => {
render(html`<ak-admin-settings-footer-link name="link"></ak-admin-settings-footer-link>`);
const link = await $("ak-admin-settings-footer-link");
await link.$('input[name="name"]').setValue("foo");
await link.$('input[name="href"]').setValue("never://foo.com");
await expect(await link.getProperty("toJson")).toEqual({
name: "foo",
href: "never://foo.com",
});
await expect(await link.getProperty("isValid")).toStrictEqual(false);
});
});

2
web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts
View File

@ -97,7 +97,7 @@ export class ApplicationWizardApplicationDetails extends WithBrandConfig(BasePro
</ak-radio-input> </ak-radio-input>
<ak-switch-input <ak-switch-input
name="openInNewTab" name="mfaSupport"
label=${msg("Code-based MFA Support")} label=${msg("Code-based MFA Support")}
?checked=${provider?.mfaSupport ?? true} ?checked=${provider?.mfaSupport ?? true}
help=${mfaSupportHelp} help=${mfaSupportHelp}

45
web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
View File

@ -1,11 +1,16 @@
import "@goauthentik/admin/common/ak-crypto-certificate-search"; import "@goauthentik/admin/common/ak-crypto-certificate-search";
import "@goauthentik/admin/common/ak-flow-search/ak-flow-search"; import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
import {
IRedirectURIInput,
akOAuthRedirectURIInput,
} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils"; import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
import "@goauthentik/components/ak-radio-input"; import "@goauthentik/components/ak-radio-input";
import "@goauthentik/components/ak-text-input"; import "@goauthentik/components/ak-text-input";
import "@goauthentik/components/ak-textarea-input"; import "@goauthentik/components/ak-textarea-input";
import "@goauthentik/elements/ak-array-input.js";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js"; import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js"; import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
import "@goauthentik/elements/forms/FormGroup"; import "@goauthentik/elements/forms/FormGroup";
@ -15,7 +20,7 @@ import "@goauthentik/elements/forms/SearchSelect";
import "@goauthentik/elements/utils/TimeDeltaHelp"; import "@goauthentik/elements/utils/TimeDeltaHelp";
import { msg } from "@lit/localize"; import { msg } from "@lit/localize";
import { TemplateResult, html } from "lit"; import { TemplateResult, css, html } from "lit";
import { customElement, state } from "lit/decorators.js"; import { customElement, state } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js"; import { ifDefined } from "lit/directives/if-defined.js";
@ -23,8 +28,10 @@ import {
ClientTypeEnum, ClientTypeEnum,
FlowsInstancesListDesignationEnum, FlowsInstancesListDesignationEnum,
IssuerModeEnum, IssuerModeEnum,
MatchingModeEnum,
OAuth2Provider, OAuth2Provider,
ProvidersApi, ProvidersApi,
RedirectURI,
SubModeEnum, SubModeEnum,
} from "@goauthentik/api"; } from "@goauthentik/api";
@ -98,13 +105,13 @@ export const issuerModeOptions = [
const redirectUriHelpMessages = [ const redirectUriHelpMessages = [
msg( msg(
"Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.", "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
), ),
msg( msg(
"If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.", "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
), ),
msg( msg(
'To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.', 'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
), ),
]; ];
@ -124,11 +131,23 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
@state() @state()
showClientSecret = true; showClientSecret = true;
@state()
redirectUris: RedirectURI[] = [];
static get styles() {
return super.styles.concat(css`
ak-array-input {
width: 100%;
}
`);
}
async loadInstance(pk: number): Promise<OAuth2Provider> { async loadInstance(pk: number): Promise<OAuth2Provider> {
const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({ const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({
id: pk, id: pk,
}); });
this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential; this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
this.redirectUris = provider.redirectUris;
return provider; return provider;
} }
@ -203,13 +222,23 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
?hidden=${!this.showClientSecret} ?hidden=${!this.showClientSecret}
> >
</ak-text-input> </ak-text-input>
<ak-textarea-input <ak-form-element-horizontal
label=${msg("Redirect URIs/Origins")}
required
name="redirectUris" name="redirectUris"
label=${msg("Redirect URIs/Origins (RegEx)")}
.value=${provider?.redirectUris}
.bighelp=${redirectUriHelp}
> >
</ak-textarea-input> <ak-array-input
.items=${this.instance?.redirectUris ?? []}
.newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
.row=${(f?: RedirectURI) =>
akOAuthRedirectURIInput({
".redirectURI": f,
"style": "width: 100%",
} as unknown as IRedirectURIInput)}
>
</ak-array-input>
${redirectUriHelp}
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey"> <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
<!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements --> <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->

104
web/src/admin/providers/oauth2/OAuth2ProviderRedirectURI.ts Normal file
View File

@ -0,0 +1,104 @@
import "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
import { AkControlElement } from "@goauthentik/elements/AkControlElement.js";
import { type Spread } from "@goauthentik/elements/types";
import { spread } from "@open-wc/lit-helpers";
import { msg } from "@lit/localize";
import { css, html } from "lit";
import { customElement, property, queryAll } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js";
import PFFormControl from "@patternfly/patternfly/components/FormControl/form-control.css";
import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
import { MatchingModeEnum, RedirectURI } from "@goauthentik/api";
export interface IRedirectURIInput {
redirectURI: RedirectURI;
}
@customElement("ak-provider-oauth2-redirect-uri")
export class OAuth2ProviderRedirectURI extends AkControlElement<RedirectURI> {
static get styles() {
return [
PFBase,
PFInputGroup,
PFFormControl,
css`
.pf-c-input-group select {
width: 10em;
}
`,
];
}
@property({ type: Object, attribute: false })
redirectURI: RedirectURI = {
matchingMode: MatchingModeEnum.Strict,
url: "",
};
@queryAll(".ak-form-control")
controls?: HTMLInputElement[];
json() {
return Object.fromEntries(
Array.from(this.controls ?? []).map((control) => [control.name, control.value]),
) as unknown as RedirectURI;
}
get isValid() {
return true;
}
render() {
const onChange = () => {
this.dispatchEvent(new Event("change", { composed: true, bubbles: true }));
};
return html`<div class="pf-c-input-group">
<select
name="matchingMode"
class="pf-c-form-control ak-form-control"
@change=${onChange}
>
<option
value="${MatchingModeEnum.Strict}"
?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Strict}
>
${msg("Strict")}
</option>
<option
value="${MatchingModeEnum.Regex}"
?selected=${this.redirectURI.matchingMode === MatchingModeEnum.Regex}
>
${msg("Regex")}
</option>
</select>
<input
type="text"
@change=${onChange}
value="${ifDefined(this.redirectURI.url ?? undefined)}"
class="pf-c-form-control ak-form-control"
required
id="url"
placeholder=${msg("URL")}
name="href"
tabindex="1"
/>
</div>`;
}
}
export function akOAuthRedirectURIInput(properties: IRedirectURIInput) {
return html`<ak-provider-oauth2-redirect-uri
${spread(properties as unknown as Spread)}
></ak-provider-oauth2-redirect-uri>`;
}
declare global {
interface HTMLElementTagNameMap {
"ak-provider-oauth2-redirect-uri": OAuth2ProviderRedirectURI;
}
}

6
web/src/admin/providers/rac/RACProviderViewPage.ts
View File

@ -129,11 +129,7 @@ export class RACProviderViewPage extends AKElement {
if (!this.provider) { if (!this.provider) {
return html``; return html``;
} }
return html`<div slot="header" class="pf-c-banner pf-m-info"> return html`${this.provider?.assignedApplicationName
${msg("RAC is in preview.")}
<a href="mailto:hello+feature/rac@goauthentik.io">${msg("Send us feedback!")}</a>
</div>
${this.provider?.assignedApplicationName
? html`` ? html``
: html`<div slot="header" class="pf-c-banner pf-m-warning"> : html`<div slot="header" class="pf-c-banner pf-m-warning">
${msg("Warning: Provider is not used by an Application.")} ${msg("Warning: Provider is not used by an Application.")}

Some files were not shown because too many files have changed in this diff Show More