Skip to content

sources/oauth: Fix InvalidAudienceError in id_token fallback#20096

Merged
BeryJu merged 3 commits intogoauthentik:mainfrom
ryanpesek:source-oidc-id-token-fallback-fix
Feb 9, 2026
Merged

sources/oauth: Fix InvalidAudienceError in id_token fallback#20096
BeryJu merged 3 commits intogoauthentik:mainfrom
ryanpesek:source-oidc-id-token-fallback-fix

Conversation

@ryanpesek
Copy link
Contributor

@ryanpesek ryanpesek commented Feb 7, 2026

Details

When using an OIDC source without a profile URL (relying on id_token claims fallback), authentication fails with InvalidAudienceError if the id_token contains an aud claim. The decode() call in OpenIDConnectClient.get_profile_info() doesn't pass an expected audience parameter. PyJWT validates the aud claim by default when present, causing the decode to fail.

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make docs)

@ryanpesek ryanpesek requested a review from a team as a code owner February 7, 2026 21:36
@netlify
Copy link

netlify bot commented Feb 7, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit f676a9f
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6987b063f2ba7000089134ba
😎 Deploy Preview https://deploy-preview-20096--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov
Copy link

codecov bot commented Feb 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 84.61538% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.19%. Comparing base (ab16661) to head (09804a9).
⚠️ Report is 13 commits behind head on main.

Files with missing lines Patch % Lines
authentik/sources/oauth/types/oidc.py 33.33% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #20096      +/-   ##
==========================================
- Coverage   93.23%   93.19%   -0.05%     
==========================================
  Files         968      968              
  Lines       53589    53599      +10     
==========================================
- Hits        49965    49952      -13     
- Misses       3624     3647      +23
Flag Coverage Δ
conformance 37.95% <0.00%> (-0.01%) ⬇️
e2e 43.92% <0.00%> (-0.02%) ⬇️
integration 22.65% <0.00%> (-0.06%) ⬇️
unit 91.40% <84.61%> (+0.01%) ⬆️
unit-migrate 91.41% <84.61%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

BeryJu
BeryJu reviewed Feb 7, 2026
View reviewed changes
@BeryJu BeryJu changed the title sources/oidc: Fix InvalidAudienceError in id_token fallback sources/oauth: Fix InvalidAudienceError in id_token fallback Feb 9, 2026
@BeryJu BeryJu merged commit 2664ea7 into goauthentik:main Feb 9, 2026
99 of 100 checks passed
@ryanpesek
Copy link
Contributor Author

ryanpesek commented Feb 9, 2026

@BeryJu thanks for taking a look! Can this also be back-ported to 2025.12?

@BeryJu BeryJu added area:backend backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 labels Feb 9, 2026
authentik-automation bot pushed a commit that referenced this pull request Feb 9, 2026
@ryanpesek @authentik-automation
Cherry-pick #20096 to version-2025.12 (with conflicts)
b5d8449 
This cherry-pick has conflicts that need manual resolution.

Original PR: #20096
Original commit: 2664ea7
@authentik-automation authentik-automation bot mentioned this pull request Feb 9, 2026
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Feb 9, 2026

⚠️ Cherry-pick to version-2025.12 has conflicts: #20122

kensternberg-authentik added a commit that referenced this pull request Feb 9, 2026
@kensternberg-authentik
Merge branch 'main' into bug/admin/source-forms-not-rendering
d5ccc8b 
* main: (108 commits)
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  web/i18n: Fix Japanese and Korean font overrides. (#19994)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 9, 2026
@kensternberg-authentik
Merge branch 'main' into web/flow/tablize-token-component-relationship
5656014 
* main: (34 commits)
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  web/i18n: Fix Japanese and Korean font overrides. (#19994)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 9, 2026
@kensternberg-authentik
Merge branch 'web/flow/tablize-token-component-relationship' into web…
e9d272b 
…/flow/one-true-api

* web/flow/tablize-token-component-relationship: (84 commits)
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  web/i18n: Fix Japanese and Korean font overrides. (#19994)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 9, 2026
@kensternberg-authentik
Merge branch 'web/flow/one-true-api' into web/flow/extract-flow-inspe…
72eb401 
…ctor

* web/flow/one-true-api: (84 commits)
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  web/i18n: Fix Japanese and Korean font overrides. (#19994)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 9, 2026
@kensternberg-authentik
Merge branch 'main' into web/maintenance/no-unknown-attributes-2
34245ad 
* main: (293 commits)
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  web/i18n: Fix Japanese and Korean font overrides. (#19994)
  ...
kensternberg-authentik added a commit that referenced this pull request Feb 9, 2026
@kensternberg-authentik
Merge branch 'main' into bug/web/sfe/polyfill-for-object-assign
3bb3770 
* main: (83 commits)
  web/admin: source forms not rendering (#19887)
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  ...
rissson pushed a commit that referenced this pull request Feb 11, 2026
@authentik-automation @ryanpesek @BeryJu
sources/oauth: Fix InvalidAudienceError in id_token fallback (cherry-…
18084c9 
…pick #20096 to version-2025.12) (#20122)

Co-authored-by: Ryan Pesek <44002516+ryanpesek@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
kensternberg-authentik added a commit that referenced this pull request Feb 12, 2026
@kensternberg-authentik
Merge branch 'web/flow/extract-flow-inspector' into web/flow/move-dia…
53e37a1 
…logs-into-the-light

* web/flow/extract-flow-inspector: (85 commits)
  Prettier is still having opinions.
  tasks: add queued tasks metrics (#20118)
  website/docs: endpoint devices: add fleet connector doc (#20086)
  tasks/middlewares: call monitoring_set upon metrics request (#20117)
  core: bump github.com/pires/go-proxyproto from 0.9.2 to 0.10.0 (#20102)
  core: bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#20103)
  core: bump gunicorn from 25.0.1 to 25.0.3 (#20104)
  ci: bump int128/docker-manifest-create-action from 2.13.0 to 2.14.0 (#20105)
  ci: bump astral-sh/setup-uv from 7.2.1 to 7.3.0 in /.github/actions/setup (#20106)
  web: bump the swc group across 2 directories with 1 update (#20108)
  web: bump playwright from 1.58.1 to 1.58.2 in /web (#20109)
  web: bump @playwright/test from 1.58.1 to 1.58.2 in /web (#20110)
  web: bump @types/node from 25.2.1 to 25.2.2 in /web (#20111)
  web: bump knip from 5.83.0 to 5.83.1 in /web (#20112)
  web: bump type-fest from 5.4.3 to 5.4.4 in /web (#20113)
  sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
  website/docs: generate CVE sidebar (#20098)
  providers/saml: move sp acs binding down in form (#20039)
  sources/saml: truncate transient username longer than 150 chars (#19930)
  web: Fix locale selector in compatibility mode. (#19946)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

No one assigned

Labels

area:backend backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryanpesek @BeryJu