From 7e213f3ca6a878c69fa2e2047c8bb6817799c30a Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Fri, 20 Oct 2023 20:37:52 +0200
Subject: [PATCH] sources/oauth: fix oidc well-known parsing (#7248)

---
 authentik/sources/oauth/api/source.py       | 15 ++++++---------
 authentik/sources/oauth/tasks.py            |  2 +-
 authentik/sources/oauth/tests/test_views.py |  1 +
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/authentik/sources/oauth/api/source.py b/authentik/sources/oauth/api/source.py
index 62941f863..1a350bd43 100644
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@@ -71,15 +71,12 @@ class OAuthSourceSerializer(SourceSerializer):
                 text = exc.response.text if exc.response else str(exc)
                 raise ValidationError({"oidc_well_known_url": text})
             config = well_known_config.json()
-            try:
-                attrs["authorization_url"] = config["authorization_endpoint"]
-                attrs["access_token_url"] = config["token_endpoint"]
-                attrs["profile_url"] = config["userinfo_endpoint"]
-                inferred_oidc_jwks_url = config["jwks_uri"]
-            except (IndexError, KeyError) as exc:
-                raise ValidationError(
-                    {"oidc_well_known_url": f"Invalid well-known configuration: {exc}"}
-                )
+            if "issuer" not in config:
+                raise ValidationError({"oidc_well_known_url": "Invalid well-known configuration"})
+            attrs["authorization_url"] = config.get("authorization_endpoint", "")
+            attrs["access_token_url"] = config.get("token_endpoint", "")
+            attrs["profile_url"] = config.get("userinfo_endpoint", "")
+            inferred_oidc_jwks_url = config.get("jwks_uri", "")
 
         # Prefer user-entered URL to inferred URL to default URL
         jwks_url = attrs.get("oidc_jwks_url") or inferred_oidc_jwks_url or source_type.oidc_jwks_url
diff --git a/authentik/sources/oauth/tasks.py b/authentik/sources/oauth/tasks.py
index 1588117b9..6197df512 100644
--- a/authentik/sources/oauth/tasks.py
+++ b/authentik/sources/oauth/tasks.py
@@ -38,7 +38,7 @@ def update_well_known_jwks(self: MonitoredTask):
             for source_attr, config_key in source_attr_key:
                 # Check if we're actually changing anything to only
                 # save when something has changed
-                if getattr(source, source_attr) != config[config_key]:
+                if getattr(source, source_attr, "") != config[config_key]:
                     dirty = True
                 setattr(source, source_attr, config[config_key])
         except (IndexError, KeyError) as exc:
diff --git a/authentik/sources/oauth/tests/test_views.py b/authentik/sources/oauth/tests/test_views.py
index 2e1919c17..16e57c057 100644
--- a/authentik/sources/oauth/tests/test_views.py
+++ b/authentik/sources/oauth/tests/test_views.py
@@ -50,6 +50,7 @@ class TestOAuthSource(TestCase):
     def test_api_validate_openid_connect(self):
         """Test API validation (with OIDC endpoints)"""
         openid_config = {
+            "issuer": "foo",
             "authorization_endpoint": "http://mock/oauth/authorize",
             "token_endpoint": "http://mock/oauth/token",
             "userinfo_endpoint": "http://mock/oauth/userinfo",