From 8689444954781d72716b62c5414918fa1838e2b0 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 31 Mar 2022 18:02:17 +0200 Subject: [PATCH] providers/oauth2: add password grant support (treated as client_credentials) Signed-off-by: Jens Langhammer --- authentik/providers/oauth2/constants.py | 2 ++ authentik/providers/oauth2/views/provider.py | 12 +++++------- authentik/providers/oauth2/views/token.py | 3 ++- website/docs/providers/oauth2/client_credentials.md | 2 ++ 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/authentik/providers/oauth2/constants.py b/authentik/providers/oauth2/constants.py index e8beade85..6c15baa5e 100644 --- a/authentik/providers/oauth2/constants.py +++ b/authentik/providers/oauth2/constants.py @@ -1,8 +1,10 @@ """OAuth/OpenID Constants""" GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code" +GRANT_TYPE_IMPLICIT = "implicit" GRANT_TYPE_REFRESH_TOKEN = "refresh_token" # nosec GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials" +GRANT_TYPE_PASSWORD = "password" # nosec CLIENT_ASSERTION_TYPE = "client_assertion_type" CLIENT_ASSERTION = "client_assertion" diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index 6bb4ee20b..49129d182 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -11,15 +11,12 @@ from authentik.providers.oauth2.constants import ( ACR_AUTHENTIK_DEFAULT, GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_IMPLICIT, + GRANT_TYPE_PASSWORD, GRANT_TYPE_REFRESH_TOKEN, SCOPE_OPENID, ) -from authentik.providers.oauth2.models import ( - GrantTypes, - OAuth2Provider, - ResponseTypes, - ScopeMapping, -) +from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping from authentik.providers.oauth2.utils import cors_allow LOGGER = get_logger() @@ -78,8 +75,9 @@ class ProviderInfoView(View): "grant_types_supported": [ GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN, - GrantTypes.IMPLICIT, + GRANT_TYPE_IMPLICIT, GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_PASSWORD, ], "id_token_signing_alg_values_supported": [supported_alg], # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 9e1ca0c81..a1d37779a 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -28,6 +28,7 @@ from authentik.providers.oauth2.constants import ( CLIENT_ASSERTION_TYPE_JWT, GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_CLIENT_CREDENTIALS, + GRANT_TYPE_PASSWORD, GRANT_TYPE_REFRESH_TOKEN, ) from authentik.providers.oauth2.errors import TokenError, UserAuthError @@ -108,7 +109,7 @@ class TokenParams: self.__post_init_code(raw_code) elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN: self.__post_init_refresh(raw_token, request) - elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS: + elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]: self.__post_init_client_credentials(request) else: LOGGER.warning("Invalid grant type", grant_type=self.grant_type) diff --git a/website/docs/providers/oauth2/client_credentials.md b/website/docs/providers/oauth2/client_credentials.md index 0a30c298b..f5ee676e2 100644 --- a/website/docs/providers/oauth2/client_credentials.md +++ b/website/docs/providers/oauth2/client_credentials.md @@ -2,6 +2,8 @@ Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time. +Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant. + ### Static authentication Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.