sources/oauth: Fix an issue where wechat may crash duing login.#18973
Merged
dewi-tik merged 7 commits intogoauthentik:mainfrom Jan 29, 2026
Merged
sources/oauth: Fix an issue where wechat may crash duing login.#18973dewi-tik merged 7 commits intogoauthentik:mainfrom
dewi-tik merged 7 commits intogoauthentik:mainfrom
Conversation
The WeChatOAuth2Client.get_access_token method was defined with a signature that required redirect_uri and code arguments, but the generic OAuth callback handler calls this method without any arguments (expecting the client to retrieve them from the request context). I have fixed authentik/sources/oauth/types/wechat.py by: Updating get_access_token signature: It now accepts **request_kwargs instead of mandatory positional arguments, matching the base OAuth2Client . Retrieving code correctly: It now looks for code in the request parameters using self.get_request_arg, just like standard OAuth clients. Adding State Validation: I added self.check_application_state() to ensure the state parameter matches, preventing CSRF attacks. Improving Error Handling: Both get_access_token and get_profile_info now return None (or error dicts) instead of raising exceptions when API calls fail. This prevents the "Server Error" (500) crashes you were seeing and allows Authentik to handle login failures gracefully. Signed-off-by: Anduin Xue <anduin@aiursoft.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #18973 +/- ##
==========================================
- Coverage 93.27% 93.21% -0.06%
==========================================
Files 967 967
Lines 53269 53282 +13
==========================================
- Hits 49684 49668 -16
- Misses 3585 3614 +29
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Anduin Xue <anduin@aiursoft.com>
Signed-off-by: Anduin Xue <anduin@aiursoft.com>
Signed-off-by: Anduin Xue <anduin@aiursoft.com>
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
Author
|
I have tested this via building locally and deployed at: https://auth.aiursoft.com/if/flow/aiursoft-authentication-flow/?next=%2F 
I tested via clicking the WeChat icon and sign in with my personal wechat account. Everything went smooth right now. 
@rissson Strongly recommand merging this before Authentik 12 release. Fixed critical issue that wechat login may crash after callback. |
Contributor
Author
BeryJu
approved these changes
Jan 15, 2026
authentik-automation bot
pushed a commit
that referenced
this pull request
Jan 29, 2026
* Fix an issue where wechat may crash duing login. The WeChatOAuth2Client.get_access_token method was defined with a signature that required redirect_uri and code arguments, but the generic OAuth callback handler calls this method without any arguments (expecting the client to retrieve them from the request context). I have fixed authentik/sources/oauth/types/wechat.py by: Updating get_access_token signature: It now accepts **request_kwargs instead of mandatory positional arguments, matching the base OAuth2Client . Retrieving code correctly: It now looks for code in the request parameters using self.get_request_arg, just like standard OAuth clients. Adding State Validation: I added self.check_application_state() to ensure the state parameter matches, preventing CSRF attacks. Improving Error Handling: Both get_access_token and get_profile_info now return None (or error dicts) instead of raising exceptions when API calls fail. This prevents the "Server Error" (500) crashes you were seeing and allows Authentik to handle login failures gracefully. Signed-off-by: Anduin Xue <anduin@aiursoft.com> * Update wechat.py Signed-off-by: Anduin Xue <anduin@aiursoft.com> * Update wechat.py Signed-off-by: Anduin Xue <anduin@aiursoft.com> * Remove unnecessary blank lines in wechat.py Signed-off-by: Anduin Xue <anduin@aiursoft.com> * Fix linting issues in wechat.py --------- Signed-off-by: Anduin Xue <anduin@aiursoft.com> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Contributor
|
🍒 Cherry-pick to |
dewi-tik
added a commit
that referenced
this pull request
Jan 29, 2026
…ry-pick #18973 to version-2025.12) (#19854) sources/oauth: Fix an issue where wechat may crash duing login. (#18973) * Fix an issue where wechat may crash duing login. The WeChatOAuth2Client.get_access_token method was defined with a signature that required redirect_uri and code arguments, but the generic OAuth callback handler calls this method without any arguments (expecting the client to retrieve them from the request context). I have fixed authentik/sources/oauth/types/wechat.py by: Updating get_access_token signature: It now accepts **request_kwargs instead of mandatory positional arguments, matching the base OAuth2Client . Retrieving code correctly: It now looks for code in the request parameters using self.get_request_arg, just like standard OAuth clients. Adding State Validation: I added self.check_application_state() to ensure the state parameter matches, preventing CSRF attacks. Improving Error Handling: Both get_access_token and get_profile_info now return None (or error dicts) instead of raising exceptions when API calls fail. This prevents the "Server Error" (500) crashes you were seeing and allows Authentik to handle login failures gracefully. * Update wechat.py * Update wechat.py * Remove unnecessary blank lines in wechat.py * Fix linting issues in wechat.py --------- Signed-off-by: Anduin Xue <anduin@aiursoft.com> Co-authored-by: Anduin Xue <anduin@aiursoft.com> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
kensternberg-authentik
added a commit
that referenced
this pull request
Jan 31, 2026
* main: (52 commits) website: QL Search keyboard interactions docs, examples. (#16259) website/integrations: immich: add signing algorithm (#19187) website/docs: endpoint devices: add version command (#19767) common: introduce common (#19852) web: bump @sentry/browser from 10.37.0 to 10.38.0 in /web in the sentry group across 1 directory (#19871) core: bump debugpy from 1.8.19 to 1.8.20 (#19872) ci: bump actions/cache from 5.0.2 to 5.0.3 (#19873) web: bump chromedriver from 144.0.1 to 145.0.0 in /web (#19874) web: Captcha Refinements, Part 2 (#19757) root: assign cherry-pick PRs to original author (#19858) web: Lit Development Mode, performance fixes. (#19825) web: Fix development theme overrides (#19826) website/docs: add tip for recovering from accidental main branch work (#19865) web: bump API Client version (#19857) rbac: clean up roles and permissions (#19588) web: bump API Client version (#19851) website/docs: add more info to entra id scim doc (#19849) sources/oauth: Fix an issue where wechat may crash duing login. (#18973) providers/scim: fix email validation mismatch (#19848) providers/scim: modify user- and group syncing behavior (#13947) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The WeChatOAuth2Client.get_access_token method was defined with a signature that required redirect_uri and code arguments, but the generic OAuth callback handler calls this method without any arguments (expecting the client to retrieve them from the request context).
This is an issue with authentik 2025.12.0-rc1 and rc2.
I have fixed
authentik/sources/oauth/types/wechat.py
by:
Updating
get_access_token
signature: It now accepts **request_kwargs instead of mandatory positional arguments, matching the base
OAuth2Client
.
Retrieving code correctly: It now looks for code in the request parameters using self.get_request_arg, just like standard OAuth clients. Adding State Validation: I added self.check_application_state() to ensure the state
parameter matches, preventing CSRF attacks.
Improving Error Handling: Both
get_access_token
and
get_profile_info
now return None (or error dicts) instead of raising exceptions when API calls fail. This prevents the "Server Error" (500) crashes you were seeing and allows Authentik to handle login failures gracefully.
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
make docs)