From 85bc35eb412e249697e1feeda8d69dcffdaba839 Mon Sep 17 00:00:00 2001 From: Jens L Date: Mon, 28 Aug 2023 00:51:48 +0200 Subject: [PATCH] providers/oauth2: fix id_token being saved incorrectly leading to lost claims (#6645) Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/models.py | 5 +++-- authentik/providers/oauth2/tests/test_token_cc.py | 8 ++++++++ scripts/generate_config.py | 3 --- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py index 1357b2101..e9a2f731a 100644 --- a/authentik/providers/oauth2/models.py +++ b/authentik/providers/oauth2/models.py @@ -2,6 +2,7 @@ import base64 import binascii import json +from dataclasses import asdict from functools import cached_property from hashlib import sha256 from typing import Any, Optional @@ -358,7 +359,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel): @id_token.setter def id_token(self, value: IDToken): self.token = value.to_access_token(self.provider) - self._id_token = json.dumps(value.to_dict()) + self._id_token = json.dumps(asdict(value)) @property def at_hash(self): @@ -400,7 +401,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel): @id_token.setter def id_token(self, value: IDToken): - self._id_token = json.dumps(value.to_dict()) + self._id_token = json.dumps(asdict(value)) @property def serializer(self) -> Serializer: diff --git a/authentik/providers/oauth2/tests/test_token_cc.py b/authentik/providers/oauth2/tests/test_token_cc.py index 8becccb95..81f595d63 100644 --- a/authentik/providers/oauth2/tests/test_token_cc.py +++ b/authentik/providers/oauth2/tests/test_token_cc.py @@ -151,6 +151,14 @@ class TestTokenClientCredentials(OAuthTestCase): ) self.assertEqual(jwt["given_name"], self.user.name) self.assertEqual(jwt["preferred_username"], self.user.username) + jwt = decode( + body["id_token"], + key=self.provider.signing_key.public_key, + algorithms=[alg], + audience=self.provider.client_id, + ) + self.assertEqual(jwt["given_name"], self.user.name) + self.assertEqual(jwt["preferred_username"], self.user.username) def test_successful_password(self): """test successful (password grant)""" diff --git a/scripts/generate_config.py b/scripts/generate_config.py index 63333188e..187eb3ba5 100644 --- a/scripts/generate_config.py +++ b/scripts/generate_config.py @@ -16,9 +16,6 @@ with open("local.env.yml", "w", encoding="utf-8") as _config: "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s", }, "blueprints_dir": "./blueprints", - "web": { - "outpost_port_offset": 100, - }, "cert_discovery_dir": "./certs", "geoip": "tests/GeoLite2-City-Test.mmdb", },