From 4d7d700afa40971e393ed9a84b1dd7a33354eb49 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 12 Jan 2022 22:19:59 +0100 Subject: [PATCH] providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/views/authorize.py | 17 ++++++++++++----- authentik/providers/oauth2/views/token.py | 16 +++++++++------- web/src/locales/en.po | 12 ++++++++++-- web/src/locales/fr_FR.po | 12 ++++++++++-- web/src/locales/pseudo-LOCALE.po | 10 +++++++++- web/src/locales/tr.po | 12 ++++++++++-- .../providers/oauth2/OAuth2ProviderForm.ts | 5 ++++- 7 files changed, 64 insertions(+), 20 deletions(-) diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 070925618..abaad8049 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -99,7 +99,7 @@ class OAuthAuthorizationParams: # and POST request. query_dict = request.POST if request.method == "POST" else request.GET state = query_dict.get("state") - redirect_uri = query_dict.get("redirect_uri", "") + redirect_uri = query_dict.get("redirect_uri", "").lower() response_type = query_dict.get("response_type", "") grant_type = None @@ -156,13 +156,20 @@ class OAuthAuthorizationParams: if not self.redirect_uri: LOGGER.warning("Missing redirect uri.") raise RedirectUriError("", allowed_redirect_urls) - if len(allowed_redirect_urls) < 1: + + if self.provider.redirect_uris == "": + LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri) + self.provider.redirect_uris = self.redirect_uri + self.provider.save() + allowed_redirect_urls = self.provider.redirect_uris.split() + + if self.provider.redirect_uris == "*": LOGGER.warning( - "Provider has no allowed redirect_uri set, allowing all.", - allow=self.redirect_uri.lower(), + "Provider has wildcard allowed redirect_uri set, allowing all.", + allow=self.redirect_uri, ) return - if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]: + if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]: LOGGER.warning( "Invalid redirect uri", redirect_uri=self.redirect_uri, diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index e98f361ae..b59aa6071 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -66,7 +66,7 @@ class TokenParams: provider=provider, client_id=client_id, client_secret=client_secret, - redirect_uri=request.POST.get("redirect_uri", ""), + redirect_uri=request.POST.get("redirect_uri", "").lower(), grant_type=request.POST.get("grant_type", ""), state=request.POST.get("state", ""), scope=request.POST.get("scope", "").split(), @@ -123,21 +123,23 @@ class TokenParams: LOGGER.warning("Invalid grant type", grant_type=self.grant_type) raise TokenError("unsupported_grant_type") - def __post_init_code(self, raw_code): + def __post_init_code(self, raw_code: str): if not raw_code: LOGGER.warning("Missing authorization code") raise TokenError("invalid_grant") allowed_redirect_urls = self.provider.redirect_uris.split() - if len(allowed_redirect_urls) < 1: + if self.provider.redirect_uris == "*": LOGGER.warning( - "Provider has no allowed redirect_uri set, allowing all.", - allow=self.redirect_uri.lower(), + "Provider has wildcard allowed redirect_uri set, allowing all.", + redirect=self.redirect_uri, ) - elif self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]: + # At this point, no provider should have a blank redirect_uri, in case they do + # this will check an empty array and raise an error + elif self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]: LOGGER.warning( "Invalid redirect uri", - uri=self.redirect_uri, + redirect=self.redirect_uri, expected=self.provider.redirect_uris.split(), ) raise TokenError("invalid_client") diff --git a/web/src/locales/en.po b/web/src/locales/en.po index 8f4259149..fb1e348f1 100644 --- a/web/src/locales/en.po +++ b/web/src/locales/en.po @@ -2382,8 +2382,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used msgstr "If multiple providers share an outpost, a self-signed certificate is used." #: src/pages/providers/oauth2/OAuth2ProviderForm.ts -msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." -msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed." +#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." +#~ msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed." + +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved." +msgstr "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved." #: src/pages/tenants/TenantForm.ts msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." @@ -5187,6 +5191,10 @@ msgstr "Title" msgid "To" msgstr "To" +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have." +msgstr "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have." + #: src/pages/users/UserViewPage.ts msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured." diff --git a/web/src/locales/fr_FR.po b/web/src/locales/fr_FR.po index 7e194db3c..2715eead5 100644 --- a/web/src/locales/fr_FR.po +++ b/web/src/locales/fr_FR.po @@ -2366,8 +2366,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé." #: src/pages/providers/oauth2/OAuth2ProviderForm.ts -msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." -msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé." +#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." +#~ msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé." + +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved." +msgstr "" #: src/pages/tenants/TenantForm.ts msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." @@ -5131,6 +5135,10 @@ msgstr "Titre" msgid "To" msgstr "À" +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have." +msgstr "" + #: src/pages/users/UserViewPage.ts msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré." diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po index 477bcced1..983e6722b 100644 --- a/web/src/locales/pseudo-LOCALE.po +++ b/web/src/locales/pseudo-LOCALE.po @@ -2374,7 +2374,11 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used msgstr "" #: src/pages/providers/oauth2/OAuth2ProviderForm.ts -msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." +#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." +#~ msgstr "" + +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved." msgstr "" #: src/pages/tenants/TenantForm.ts @@ -5167,6 +5171,10 @@ msgstr "" msgid "To" msgstr "" +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have." +msgstr "" + #: src/pages/users/UserViewPage.ts msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgstr "" diff --git a/web/src/locales/tr.po b/web/src/locales/tr.po index dab1a070f..7f9ddf2a1 100644 --- a/web/src/locales/tr.po +++ b/web/src/locales/tr.po @@ -2337,8 +2337,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır." #: src/pages/providers/oauth2/OAuth2ProviderForm.ts -msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." -msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir." +#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." +#~ msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir." + +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved." +msgstr "" #: src/pages/tenants/TenantForm.ts msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." @@ -5076,6 +5080,10 @@ msgstr "Başlık" msgid "To" msgstr "Kime" +#: src/pages/providers/oauth2/OAuth2ProviderForm.ts +msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have." +msgstr "" + #: src/pages/users/UserViewPage.ts msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir." diff --git a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts index 9af90b8fc..df2cbc2fd 100644 --- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts +++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts @@ -171,7 +171,10 @@ ${this.instance?.redirectUris}

- ${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`} + ${t`If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.`} +

+

+ ${t`To allow any redirect URI, set this value to "*". Be aware of the possible security implications this can have.`}