sources/oauth: fix twitter client missing basic auth

closes #3038 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-05 14:21:32 +02:00 · 2022-06-05 14:21:32 +02:00 · c11435780d
parent ee54328589
commit c11435780d
3 changed files with 21 additions and 10 deletions
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -8,7 +8,7 @@ from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField, ReadOnlyField
+from rest_framework.serializers import ModelSerializer, ReadOnlyField, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -77,10 +77,7 @@ class OAuth2Client(BaseOAuthClient):
            if self.source.type.urls_customizable and self.source.access_token_url:
                access_token_url = self.source.access_token_url
            response = self.session.request(
-                "post",
-                access_token_url,
-                data=args,
-                headers=self._default_headers,
+                "post", access_token_url, data=args, headers=self._default_headers, **request_kwargs
            )
            response.raise_for_status()
        except RequestException as exc:
--- a/authentik/sources/oauth/types/twitter.py
+++ b/authentik/sources/oauth/types/twitter.py
@ -1,5 +1,5 @@
 """Twitter OAuth Views"""
-from typing import Any
+from typing import Any, Optional

 from authentik.lib.generators import generate_id
 from authentik.sources.oauth.clients.oauth2 import SESSION_KEY_OAUTH_PKCE
@ -9,6 +9,23 @@ from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect


+class TwitterClient(AzureADClient):
+    """Twitter has similar quirks to Azure AD, and additionally requires Basic auth on
+    the access token endpoint for some reason."""
+
+    # Twitter has the same quirk as azure and throws an error if the access token
+    # is set via query parameter, so we re-use the azure client
+    # see https://github.com/goauthentik/authentik/issues/1910
+
+    def get_access_token(self, **request_kwargs) -> Optional[dict[str, Any]]:
+        return super().get_access_token(
+            auth=(
+                self.source.consumer_key,
+                self.source.consumer_secret,
+            )
+        )
+
+
 class TwitterOAuthRedirect(OAuthRedirect):
    """Twitter OAuth2 Redirect"""

@ -24,10 +41,7 @@ class TwitterOAuthRedirect(OAuthRedirect):
 class TwitterOAuthCallback(OAuthCallback):
    """Twitter OAuth2 Callback"""

-    # Twitter has the same quirk as azure and throws an error if the access token
-    # is set via query parameter, so we re-use the azure client
-    # see https://github.com/goauthentik/authentik/issues/1910
-    client_class = AzureADClient
+    client_class = TwitterClient

    def get_user_id(self, info: dict[str, str]) -> str:
        return info.get("data", {}).get("id", "")