providers/oauth2: if no scopes are sent in authorize request, select all configured scopes

closes #3112

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-07-01 18:29:24 +02:00
parent d11ce0a86e
commit 23273f53cc
3 changed files with 40 additions and 5 deletions

View File

@ -55,6 +55,7 @@ from authentik.providers.oauth2.models import (
OAuth2Provider, OAuth2Provider,
ResponseMode, ResponseMode,
ResponseTypes, ResponseTypes,
ScopeMapping,
) )
from authentik.providers.oauth2.utils import HttpResponseRedirectScheme from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
from authentik.providers.oauth2.views.userinfo import UserInfoView from authentik.providers.oauth2.views.userinfo import UserInfoView
@ -215,6 +216,16 @@ class OAuthAuthorizationParams:
def check_scope(self): def check_scope(self):
"""Ensure openid scope is set in Hybrid flows, or when requesting an id_token""" """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
if len(self.scope) == 0:
default_scope_names = set(
ScopeMapping.objects.filter(provider__in=[self.provider]).values_list(
"scope_name", flat=True
)
)
self.scope = default_scope_names
LOGGER.info(
"No scopes requested, defaulting to all configured scopes", scopes=self.scope
)
if SCOPE_OPENID not in self.scope and ( if SCOPE_OPENID not in self.scope and (
self.grant_type == GrantTypes.HYBRID self.grant_type == GrantTypes.HYBRID
or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN] or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN]
@ -240,11 +251,8 @@ class OAuthAuthorizationParams:
def check_code_challenge(self): def check_code_challenge(self):
"""PKCE validation of the transformation method.""" """PKCE validation of the transformation method."""
if self.code_challenge: if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]:
if not (self.code_challenge_method in ["plain", "S256"]): raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
raise AuthorizeError(
self.redirect_uri, "invalid_request", self.grant_type, self.state
)
def create_code(self, request: HttpRequest) -> AuthorizationCode: def create_code(self, request: HttpRequest) -> AuthorizationCode:
"""Create an AuthorizationCode object for the request""" """Create an AuthorizationCode object for the request"""

View File

@ -55,3 +55,26 @@ if "my-admin-scope" in request.context["oauth_scopes"]:
return ak_is_group_member(request.user, name="my-admin-group") return ak_is_group_member(request.user, name="my-admin-group")
return True return True
``` ```
## Special scopes
#### GitHub compatibility
- `user`: No-op, is accepted for compatibility but does not give access to any resources
- `read:user`: Same as above
- `user:email`: Allows read-only access to `/user`, including email address
- `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams.
#### authentik
- `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user
## Default scopes
:::info
Requires authentik 2022.7
:::
When a client does not request any scopes, authentik will treat the request as if all configured scopes were requrested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.
This does _not_ apply to special scopes, as those are not configurable in the provider.

View File

@ -30,6 +30,10 @@ slug: "2022.7"
Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates. Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates.
- OAuth2 Provider default Scopes
Starting with authentik 2022.7, when an OAuth client doesn't specify any scopes, authentik will treat the request as if all the configured scopes of that provider had been requested. Normal consent is still required depending on the configured flow. No special scopes will be added, as those can't be selected in the configuration.
## Minor changes/fixes ## Minor changes/fixes
- api: add basic jwt support with required scope (#2624) - api: add basic jwt support with required scope (#2624)