Skip to content

providers/oauth2: allow m2m for JWKS without alg in keys#12196

Merged
BeryJu merged 3 commits intomainfrom
providers/oauth2/m2m-with-missing-alg
Nov 27, 2024
Merged

providers/oauth2: allow m2m for JWKS without alg in keys#12196
BeryJu merged 3 commits intomainfrom
providers/oauth2/m2m-with-missing-alg

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Nov 26, 2024

Details

the alg attribute in JWKS urls is optional, so if it's not set we use the alg from the raw JWT header

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu BeryJu requested review from a team as code owners November 26, 2024 17:28
@BeryJu
providers/oauth2: allow m2m for JWKS without alg in keys
92767e1 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@netlify
Copy link

netlify bot commented Nov 26, 2024
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit f3034a1
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/674640e51b5cbe0008553199

@netlify
Copy link

netlify bot commented Nov 26, 2024
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit f3034a1
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/674640e5547c8e00088fe797
😎 Deploy Preview https://deploy-preview-12196--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@BeryJu BeryJu force-pushed the providers/oauth2/m2m-with-missing-alg branch from 175b74e to 92767e1 Compare November 26, 2024 17:28
@codecov
Copy link

codecov bot commented Nov 26, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.

Project coverage is 92.67%. Comparing base (1daa531) to head (f3034a1).
Report is 13 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
authentik/providers/oauth2/views/token.py 66.66% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #12196      +/-   ##
==========================================
- Coverage   92.68%   92.67%   -0.02%     
==========================================
  Files         761      761              
  Lines       38047    38050       +3     
==========================================
- Hits        35264    35262       -2     
- Misses       2783     2788       +5
Flag Coverage Δ
e2e 49.22% <0.00%> (-0.02%) ⬇️
integration 24.83% <0.00%> (-0.01%) ⬇️
unit 90.20% <66.66%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

tanberry
tanberry reviewed Nov 26, 2024
View reviewed changes
@BeryJu @tanberry
Update index.md
085cfed 
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>
tanberry
tanberry reviewed Nov 26, 2024
View reviewed changes
tanberry
tanberry reviewed Nov 26, 2024
View reviewed changes
website/docs/users-sources/sources/social-logins/azure-ad/index.md
client_secret=<application_client_secret>
```

The JWT returned from the request above can be used with authentik to exchange it for an authentik JWT.
Copy link
Contributor

@tanberry tanberry Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what this means... You can configure authentik to use the returned JWT (from the request) instead of the auto-generated authentik JWT?

Copy link
Contributor

@tanberry tanberry Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And if we say "can be used" we need to explain how... does one configure it, is it automatic, etc?

Copy link
Member Author

@BeryJu BeryJu Nov 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those steps are explained in oauth2/client_credentials.md

tanberry
tanberry reviewed Nov 26, 2024
View reviewed changes
@BeryJu @tanberry
Apply suggestions from code review
f3034a1 
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>
@BeryJu BeryJu merged commit f9e8138 into main Nov 27, 2024
@BeryJu BeryJu deleted the providers/oauth2/m2m-with-missing-alg branch November 27, 2024 18:01
kensternberg-authentik added a commit that referenced this pull request Dec 2, 2024
@kensternberg-authentik
Merge branch 'main' into dev
fe9e452 
* main: (31 commits)
  web/admin: bugfix: dual select initialization revision (#12051)
  web: update tests for Chromedriver 131 (#12199)
  website/integrations: add Aruba Orchestrator (#12220)
  core: bump aws-cdk-lib from 2.167.1 to 2.171.1 (#12237)
  website: bump aws-cdk from 2.167.1 to 2.171.1 in /website (#12241)
  core, web: update translations (#12236)
  core: bump python-kadmin-rs from 0.2.0 to 0.3.0 (#12238)
  core: bump pytest from 8.3.3 to 8.3.4 (#12239)
  core: bump drf-spectacular from 0.27.2 to 0.28.0 (#12240)
  core, web: update translations (#12222)
  core: Bump ruff from 0.8.0 to 0.8.1 (#12224)
  core: Bump ua-parser from 0.18.0 to 1.0.0 (#12225)
  core: Bump msgraph-sdk from 1.13.0 to 1.14.0 (#12226)
  stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#12234)
  website/docs: install: add aws (#12082)
  core: Bump pyjwt from 2.10.0 to 2.10.1 (#12217)
  core: Bump fido2 from 1.1.3 to 1.2.0 (#12218)
  core: Bump cryptography from 43.0.3 to 44.0.0 (#12219)
  providers/oauth2: allow m2m for JWKS without alg in keys (#12196)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in fr (#12210)
  ...
BeryJu added a commit that referenced this pull request Dec 6, 2024
@BeryJu @tanberry
providers/oauth2: allow m2m for JWKS without alg in keys (#12196)
44b46ec 
* providers/oauth2: allow m2m for JWKS without alg in keys

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Update index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tanberry tanberry tanberry left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BeryJu @tanberry