import "@goauthentik/admin/common/ak-crypto-certificate-search"; import "@goauthentik/admin/common/ak-flow-search/ak-flow-search"; import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils"; import "@goauthentik/components/ak-radio-input"; import "@goauthentik/components/ak-text-input"; import "@goauthentik/components/ak-textarea-input"; import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js"; import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js"; import "@goauthentik/elements/forms/FormGroup"; import "@goauthentik/elements/forms/HorizontalFormElement"; import "@goauthentik/elements/forms/Radio"; import "@goauthentik/elements/forms/SearchSelect"; import "@goauthentik/elements/utils/TimeDeltaHelp"; import { msg } from "@lit/localize"; import { TemplateResult, html } from "lit"; import { customElement, state } from "lit/decorators.js"; import { ifDefined } from "lit/directives/if-defined.js"; import { ClientTypeEnum, FlowsInstancesListDesignationEnum, IssuerModeEnum, OAuth2Provider, ProvidersApi, SubModeEnum, } from "@goauthentik/api"; import { makeOAuth2PropertyMappingsSelector, oauth2PropertyMappingsProvider, } from "./OAuth2PropertyMappings.js"; import { makeSourceSelector, oauth2SourcesProvider } from "./OAuth2Sources.js"; export const clientTypeOptions = [ { label: msg("Confidential"), value: ClientTypeEnum.Confidential, default: true, description: html`${msg( "Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets", )}`, }, { label: msg("Public"), value: ClientTypeEnum.Public, description: html`${msg( "Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. ", )}`, }, ]; export const subjectModeOptions = [ { label: msg("Based on the User's hashed ID"), value: SubModeEnum.HashedUserId, default: true, }, { label: msg("Based on the User's ID"), value: SubModeEnum.UserId, }, { label: msg("Based on the User's UUID"), value: SubModeEnum.UserUuid, }, { label: msg("Based on the User's username"), value: SubModeEnum.UserUsername, }, { label: msg("Based on the User's Email"), value: SubModeEnum.UserEmail, description: html`${msg("This is recommended over the UPN mode.")}`, }, { label: msg("Based on the User's UPN"), value: SubModeEnum.UserUpn, description: html`${msg( "Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.", )}`, }, ]; export const issuerModeOptions = [ { label: msg("Each provider has a different issuer, based on the application slug"), value: IssuerModeEnum.PerProvider, default: true, }, { label: msg("Same identifier is used for all providers"), value: IssuerModeEnum.Global, }, ]; const redirectUriHelpMessages = [ msg( "Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.", ), msg( "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.", ), msg( 'To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.', ), ]; export const redirectUriHelp = html`${redirectUriHelpMessages.map( (m) => html`

${m}

`, )}`; /** * Form page for OAuth2 Authentication Method * * @element ak-provider-oauth2-form * */ @customElement("ak-provider-oauth2-form") export class OAuth2ProviderFormPage extends BaseProviderForm { @state() showClientSecret = true; async loadInstance(pk: number): Promise { const provider = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2Retrieve({ id: pk, }); this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential; return provider; } async send(data: OAuth2Provider): Promise { if (this.instance) { return new ProvidersApi(DEFAULT_CONFIG).providersOauth2Update({ id: this.instance.pk, oAuth2ProviderRequest: data, }); } else { return new ProvidersApi(DEFAULT_CONFIG).providersOauth2Create({ oAuth2ProviderRequest: data, }); } } renderForm(): TemplateResult { const provider = this.instance; return html`

${msg("Flow used when a user access this provider and is not authenticated.")}

${msg("Flow used when authorizing this provider.")}

${msg("Protocol settings")}

) => { this.showClientSecret = ev.detail.value !== ClientTypeEnum.Public; }} .options=${clientTypeOptions} >

${msg("Key used to sign the tokens.")}

${msg("Advanced protocol settings")}

${msg("Configure how long access codes are valid for.")}

`} >

${msg("Configure how long access tokens are valid for.")}

`} >

${msg("Configure how long refresh tokens are valid for.")}

`} >

${msg( "Select which scopes can be used by the client. The client still has to specify the scope to access the data.", )}

${msg("Machine-to-Machine authentication settings")}

${msg( "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.", )}

`; } } declare global { interface HTMLElementTagNameMap { "ak-provider-oauth2-form": OAuth2ProviderFormPage; } }