Skip to content

sources/oauth: Fix an issue where wechat may crash duing login. (cherry-pick #18973 to version-2025.12)#19854

Merged
dewi-tik merged 3 commits intoversion-2025.12from
cherry-pick/18973-to-version-2025.12
Jan 29, 2026
Merged

sources/oauth: Fix an issue where wechat may crash duing login. (cherry-pick #18973 to version-2025.12)#19854
dewi-tik merged 3 commits intoversion-2025.12from
cherry-pick/18973-to-version-2025.12

Conversation

@authentik-automation
Copy link
Contributor

@authentik-automation authentik-automation bot commented Jan 29, 2026

Cherry-pick of #18973 to version-2025.12 branch.

Original PR: #18973
Original Author: @Anduin2017
Cherry-picked commit: e01d7f2

@Anduin2017 @dewi-tik @authentik-automation
sources/oauth: Fix an issue where wechat may crash duing login. (#18973)
efdcabc 
* Fix an issue where wechat may crash duing login.

 The WeChatOAuth2Client.get_access_token method was defined with a signature that required redirect_uri and code arguments, but the generic OAuth callback handler calls this method without any arguments (expecting the client to retrieve them from the request context).

I have fixed 
authentik/sources/oauth/types/wechat.py
 by:

Updating 
get_access_token
 signature: It now accepts **request_kwargs instead of mandatory positional arguments, matching the base 
OAuth2Client
.
Retrieving code correctly: It now looks for code in the request parameters using self.get_request_arg, just like standard OAuth clients.
Adding State Validation: I added self.check_application_state() to ensure the 
state
 parameter matches, preventing CSRF attacks.
Improving Error Handling: Both 
get_access_token
 and 
get_profile_info
 now return None (or error dicts) instead of raising exceptions when API calls fail. This prevents the "Server Error" (500) crashes you were seeing and allows Authentik to handle login failures gracefully.

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Update wechat.py

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Update wechat.py

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Remove unnecessary blank lines in wechat.py

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Fix linting issues in wechat.py

---------

Signed-off-by: Anduin Xue <anduin@aiursoft.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
@authentik-automation authentik-automation bot requested a review from a team as a code owner January 29, 2026 16:49
@authentik-automation authentik-automation bot mentioned this pull request Jan 29, 2026
Merged
6 tasks
@netlify
Copy link

netlify bot commented Jan 29, 2026

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit efdcabc
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/697b8f7f7b4f00000749b3bc
😎 Deploy Preview https://deploy-preview-19854--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@dewi-tik dewi-tik enabled auto-merge (squash) January 29, 2026 16:51
@codecov
Copy link

codecov bot commented Jan 29, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 26.08696% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.26%. Comparing base (8a55050) to head (0e3c8c2).
⚠️ Report is 1 commits behind head on version-2025.12.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
authentik/sources/oauth/types/wechat.py 26.08% 17 Missing ⚠️
Additional details and impacted files 
@@                 Coverage Diff                 @@
##           version-2025.12   #19854      +/-   ##
===================================================
- Coverage            93.26%   93.26%   -0.01%     
===================================================
  Files                  947      947              
  Lines                52356    52369      +13     
===================================================
+ Hits                 48831    48840       +9     
- Misses                3525     3529       +4
Flag Coverage Δ
e2e 44.47% <26.08%> (+<0.01%) ⬆️
integration 23.57% <26.08%> (+<0.01%) ⬆️
unit 91.54% <26.08%> (-0.02%) ⬇️
unit-migrate 91.59% <26.08%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dewi-tik dewi-tik merged commit 7b0a6b4 into version-2025.12 Jan 29, 2026
122 of 125 checks passed
@dewi-tik dewi-tik deleted the cherry-pick/18973-to-version-2025.12 branch January 29, 2026 20:37
@github-actions
Copy link
Contributor

github-actions bot commented Jan 29, 2026

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-0e3c8c27b01bb7366999160dc16f9a4e0523a1a6
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-0e3c8c27b01bb7366999160dc16f9a4e0523a1a6

Afterwards, run the upgrade commands from the latest release notes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melizeche melizeche melizeche approved these changes

@dewi-tik dewi-tik dewi-tik approved these changes

Assignees

No one assigned

Labels

cherry-pick

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@melizeche @dewi-tik @Anduin2017