providers/oauth2: remove response_type field as spec doesn't require validation

2020-12-27 17:33:54 +01:00 · 2020-12-27 17:33:54 +01:00 · ee2e737782
parent b04c9a2098
commit ee2e737782
13 changed files with 40 additions and 70 deletions
--- a/authentik/providers/oauth2/api.py
+++ b/authentik/providers/oauth2/api.py
@ -20,7 +20,6 @@ class OAuth2ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "client_id",
            "client_secret",
            "token_validity",
-            "response_type",
            "include_claims_in_id_token",
            "jwt_alg",
            "rsa_key",
--- a/authentik/providers/oauth2/forms.py
+++ b/authentik/providers/oauth2/forms.py
@ -55,7 +55,6 @@ class OAuth2ProviderForm(forms.ModelForm):
            "client_secret",
            "token_validity",
            "jwt_alg",
-            "response_type",
            "property_mappings",
            "rsa_key",
            "redirect_uris",
--- a/authentik/providers/oauth2/migrations/0009_remove_oauth2provider_response_type.py
+++ b/authentik/providers/oauth2/migrations/0009_remove_oauth2provider_response_type.py
@ -0,0 +1,17 @@
+# Generated by Django 3.1.4 on 2020-12-27 16:32
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_oauth2", "0008_oauth2provider_issuer_mode"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="oauth2provider",
+            name="response_type",
+        ),
+    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -152,11 +152,6 @@ class OAuth2Provider(Provider):
        verbose_name=_("Client Secret"),
        default=generate_client_secret,
    )
-    response_type = models.TextField(
-        choices=ResponseTypes.choices,
-        default=ResponseTypes.CODE,
-        help_text=_(ResponseTypes.__doc__),
-    )
    jwt_alg = models.CharField(
        max_length=10,
        choices=JWTAlgorithms.choices,
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -106,7 +106,6 @@ class OAuthAuthorizationParams:
        elif response_type in [
            ResponseTypes.ID_TOKEN,
            ResponseTypes.ID_TOKEN_TOKEN,
-            ResponseTypes.CODE_TOKEN,
        ]:
            grant_type = GrantTypes.IMPLICIT
        elif response_type in [
@ -150,7 +149,6 @@ class OAuthAuthorizationParams:
        self.check_redirect_uri()
        self.check_scope()
        self.check_nonce()
-        self.check_response_type()
        self.check_code_challenge()

    def check_redirect_uri(self):
@ -203,18 +201,6 @@ class OAuthAuthorizationParams:
                self.redirect_uri, "invalid_request", self.grant_type, self.state
            )

-    def check_response_type(self):
-        """Response type parameter validation."""
-        if SCOPE_OPENID in self.scope:
-            actual_response_type = self.provider.response_type
-            if "#" in self.provider.response_type:
-                hash_index = actual_response_type.index("#")
-                actual_response_type = actual_response_type[:hash_index]
-            if self.response_type != actual_response_type:
-                raise AuthorizeError(
-                    self.redirect_uri, "invalid_request", self.grant_type, self.state
-                )
-
    def check_code_challenge(self):
        """PKCE validation of the transformation method."""
        if self.code_challenge:
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -13,7 +13,12 @@ from authentik.providers.oauth2.constants import (
    GRANT_TYPE_REFRESH_TOKEN,
    SCOPE_OPENID,
 )
-from authentik.providers.oauth2.models import GrantTypes, OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.models import (
+    GrantTypes,
+    OAuth2Provider,
+    ResponseTypes,
+    ScopeMapping,
+)

 LOGGER = get_logger()

@ -53,7 +58,14 @@ class ProviderInfoView(View):
            "introspection_endpoint": self.request.build_absolute_uri(
                reverse("authentik_providers_oauth2:token-introspection")
            ),
-            "response_types_supported": [provider.response_type],
+            "response_types_supported": [
+                ResponseTypes.CODE,
+                ResponseTypes.ID_TOKEN,
+                ResponseTypes.ID_TOKEN_TOKEN,
+                ResponseTypes.CODE_TOKEN,
+                ResponseTypes.CODE_ID_TOKEN,
+                ResponseTypes.CODE_ID_TOKEN_TOKEN,
+            ],
            "jwks_uri": self.request.build_absolute_uri(
                reverse(
                    "authentik_providers_oauth2:jwks",
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -18,7 +18,6 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    OAuth2Provider,
    RefreshToken,
-    ResponseTypes,
 )
 from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth

@ -205,12 +204,12 @@ class TokenView(View):
            "id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()),
        }

-        if self.params.provider.response_type == ResponseTypes.CODE_ADFS:
-            # This seems to be expected by some OIDC Clients
-            # namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
-            # Maybe this should be a setting
-            # in the future?
-            response_dict["access_token"] = response_dict["id_token"]
+        # if self.params.provider.response_type == ResponseTypes.CODE_ADFS:
+        #     # This seems to be expected by some OIDC Clients
+        #     # namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
+        #     # Maybe this should be a setting
+        #     # in the future?
+        #     response_dict["access_token"] = response_dict["id_token"]

        return response_dict

--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -22,7 +22,6 @@ from authentik.providers.oauth2.models import (
    ClientTypes,
    JWTAlgorithms,
    OAuth2Provider,
-    ResponseTypes,
    ScopeMapping,
 )

@ -127,7 +126,6 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
    def set_oauth_defaults(self):
        """Ensure all OAuth2-related settings are correct"""
        self.client_type = ClientTypes.CONFIDENTIAL
-        self.response_type = ResponseTypes.CODE
        self.jwt_alg = JWTAlgorithms.RS256
        self.rsa_key = CertificateKeyPair.objects.first()
        scopes = ScopeMapping.objects.filter(
--- a/swagger.yaml
+++ b/swagger.yaml
@ -7835,18 +7835,6 @@ definitions:
          hours=1;minutes=2;seconds=3).'
        type: string
        minLength: 1
-      response_type:
-        title: Response type
-        description: Response Type required by the client.
-        type: string
-        enum:
-          - code
-          - code#adfs
-          - id_token
-          - id_token token
-          - code token
-          - code id_token
-          - code id_token token
      include_claims_in_id_token:
        title: Include claims in id_token
        description: Include User claims from scopes in the id_token, for applications
--- a/tests/e2e/test_provider_oauth2_github.py
+++ b/tests/e2e/test_provider_oauth2_github.py
@ -17,7 +17,7 @@ from authentik.providers.oauth2.generators import (
    generate_client_id,
    generate_client_secret,
 )
-from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ResponseTypes
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider
 from tests.e2e.utils import USER, SeleniumTestCase, retry


@ -73,7 +73,6 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_type=ClientTypes.CONFIDENTIAL,
-            response_type=ResponseTypes.CODE,
            redirect_uris="http://localhost:3000/login/github",
            authorization_flow=authorization_flow,
        )
@ -128,7 +127,6 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_type=ClientTypes.CONFIDENTIAL,
-            response_type=ResponseTypes.CODE,
            redirect_uris="http://localhost:3000/login/github",
            authorization_flow=authorization_flow,
        )
@ -198,7 +196,6 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            client_id=self.client_id,
            client_secret=self.client_secret,
            client_type=ClientTypes.CONFIDENTIAL,
-            response_type=ResponseTypes.CODE,
            redirect_uris="http://localhost:3000/login/github",
            authorization_flow=authorization_flow,
        )
--- a/tests/e2e/test_provider_oauth2_grafana.py
+++ b/tests/e2e/test_provider_oauth2_grafana.py
@ -24,12 +24,7 @@ from authentik.providers.oauth2.generators import (
    generate_client_id,
    generate_client_secret,
 )
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    ResponseTypes,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
 from tests.e2e.utils import USER, SeleniumTestCase, retry

 LOGGER = get_logger()
@ -96,7 +91,6 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            rsa_key=CertificateKeyPair.objects.first(),
            redirect_uris="http://localhost:3000/",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -134,7 +128,6 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            rsa_key=CertificateKeyPair.objects.first(),
            redirect_uris="http://localhost:3000/login/generic_oauth",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -196,7 +189,6 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
            rsa_key=CertificateKeyPair.objects.first(),
            redirect_uris="http://localhost:3000/login/generic_oauth",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -261,7 +253,6 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
        provider = OAuth2Provider.objects.create(
            name="grafana",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
@ -335,7 +326,6 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
        provider = OAuth2Provider.objects.create(
            name="grafana",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
--- a/tests/e2e/test_provider_oauth2_oidc.py
+++ b/tests/e2e/test_provider_oauth2_oidc.py
@ -26,12 +26,7 @@ from authentik.providers.oauth2.generators import (
    generate_client_id,
    generate_client_secret,
 )
-from authentik.providers.oauth2.models import (
-    ClientTypes,
-    OAuth2Provider,
-    ResponseTypes,
-    ScopeMapping,
-)
+from authentik.providers.oauth2.models import ClientTypes, OAuth2Provider, ScopeMapping
 from tests.e2e.utils import USER, SeleniumTestCase, retry

 LOGGER = get_logger()
@ -91,7 +86,6 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            rsa_key=CertificateKeyPair.objects.first(),
            redirect_uris="http://localhost:9009/",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -129,7 +123,6 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            rsa_key=CertificateKeyPair.objects.first(),
            redirect_uris="http://localhost:9009/auth/callback",
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -175,7 +168,6 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        provider = OAuth2Provider.objects.create(
            name=self.application_slug,
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
@ -236,7 +228,6 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        provider = OAuth2Provider.objects.create(
            name=self.application_slug,
            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
--- a/website/docs/integrations/services/vmware-vcenter/index.md
+++ b/website/docs/integrations/services/vmware-vcenter/index.md
@ -54,7 +54,6 @@ Under _Sources_, click _Edit_ and ensure that "Autogenerated Active Directory Ma
 Under _Providers_, create an OAuth2/OpenID Provider with these settings:

 -   Client Type: Confidential
-   Response Type: code (ADFS Compatibility Mode, sends id_token as access_token)
 -   JWT Algorithm: RS256
 -   Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
 -   Post Logout Redirect URIs: `https://vcenter.company/ui/login`