providers/oauth2: add password grant support (treated as client_credentials)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/oauth2/constants.py

@@ -1,8 +1,10 @@
 """OAuth/OpenID Constants"""
 
 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
+GRANT_TYPE_IMPLICIT = "implicit"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
+GRANT_TYPE_PASSWORD = "password"  # nosec
 
 CLIENT_ASSERTION_TYPE = "client_assertion_type"
 CLIENT_ASSERTION = "client_assertion"

authentik/providers/oauth2/views/provider.py

@@ -11,15 +11,12 @@ from authentik.providers.oauth2.constants import (
     ACR_AUTHENTIK_DEFAULT,
     GRANT_TYPE_AUTHORIZATION_CODE,
     GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_IMPLICIT,
+    GRANT_TYPE_PASSWORD,
     GRANT_TYPE_REFRESH_TOKEN,
     SCOPE_OPENID,
 )
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import OAuth2Provider, ResponseTypes, ScopeMapping
-    GrantTypes,
-    OAuth2Provider,
-    ResponseTypes,
-    ScopeMapping,
-)
 from authentik.providers.oauth2.utils import cors_allow
 
 LOGGER = get_logger()
@@ -78,8 +75,9 @@ class ProviderInfoView(View):
             "grant_types_supported": [
                 GRANT_TYPE_AUTHORIZATION_CODE,
                 GRANT_TYPE_REFRESH_TOKEN,
-                GrantTypes.IMPLICIT,
+                GRANT_TYPE_IMPLICIT,
                 GRANT_TYPE_CLIENT_CREDENTIALS,
+                GRANT_TYPE_PASSWORD,
             ],
             "id_token_signing_alg_values_supported": [supported_alg],
             # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

authentik/providers/oauth2/views/token.py

@@ -28,6 +28,7 @@ from authentik.providers.oauth2.constants import (
     CLIENT_ASSERTION_TYPE_JWT,
     GRANT_TYPE_AUTHORIZATION_CODE,
     GRANT_TYPE_CLIENT_CREDENTIALS,
+    GRANT_TYPE_PASSWORD,
     GRANT_TYPE_REFRESH_TOKEN,
 )
 from authentik.providers.oauth2.errors import TokenError, UserAuthError
@@ -108,7 +109,7 @@ class TokenParams:
             self.__post_init_code(raw_code)
         elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
             self.__post_init_refresh(raw_token, request)
-        elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
+        elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
             self.__post_init_client_credentials(request)
         else:
             LOGGER.warning("Invalid grant type", grant_type=self.grant_type)

website/docs/providers/oauth2/client_credentials.md

@@ -2,6 +2,8 @@
 
 Client credentials can be used for machine-to-machine communication authentication. Clients can authenticate themselves using service-accounts; standard client_id + client_secret is not sufficient. This behavior is due to providers only being able to have a single secret at any given time.
 
+Note that authentik does treat a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant.
+
 ### Static authentication
 
 Hence identification is based on service-accounts, and authentication is based on App-password tokens. These objects can be created in a single step using the *Create Service account* function.