Skip to content

Commit

Permalink
providers/oauth2: audit_ignore last_login change for generated servic…
Browse files Browse the repository at this point in the history
…e account (goauthentik#11085)

Signed-off-by: Jens Langhammer <[email protected]>
  • Loading branch information
BeryJu authored Aug 27, 2024
1 parent 0fcac0e commit cdbf448
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 15 deletions.
2 changes: 1 addition & 1 deletion authentik/enterprise/apps.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ def check_enabled(self):
"""Actual enterprise check, cached"""
from authentik.enterprise.license import LicenseKey

return LicenseKey.cached_summary().status
return LicenseKey.cached_summary().status.is_valid
27 changes: 14 additions & 13 deletions authentik/providers/oauth2/views/token.py
Original file line number Diff line number Diff line change
Expand Up @@ -433,20 +433,21 @@ def __post_init_client_credentials_generated(self, request: HttpRequest):
app = Application.objects.filter(provider=self.provider).first()
if not app or not app.provider:
raise TokenError("invalid_grant")
self.user, _ = User.objects.update_or_create(
# trim username to ensure the entire username is max 150 chars
# (22 chars being the length of the "template")
username=f"ak-{self.provider.name[:150-22]}-client_credentials",
defaults={
"attributes": {
USER_ATTRIBUTE_GENERATED: True,
with audit_ignore():
self.user, _ = User.objects.update_or_create(
# trim username to ensure the entire username is max 150 chars
# (22 chars being the length of the "template")
username=f"ak-{self.provider.name[:150-22]}-client_credentials",
defaults={
"attributes": {
USER_ATTRIBUTE_GENERATED: True,
},
"last_login": timezone.now(),
"name": f"Autogenerated user from application {app.name} (client credentials)",
"path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
"type": UserTypes.SERVICE_ACCOUNT,
},
"last_login": timezone.now(),
"name": f"Autogenerated user from application {app.name} (client credentials)",
"path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}",
"type": UserTypes.SERVICE_ACCOUNT,
},
)
)
self.__check_policy_access(app, request)

Event.new(
Expand Down
3 changes: 2 additions & 1 deletion website/docs/providers/oauth2/client_credentials.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=application_client_id&
username=my-service-account&
password=my-token
password=my-token&
scope=profile
```

This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.
Expand Down

0 comments on commit cdbf448

Please sign in to comment.