From 6070508058eb1cd984e0b0b4b741f56cdceb16d1 Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 14:32:17 +0200 Subject: [PATCH] providers/oauth2: audit_ignore last_login change for generated service account (cherry-pick #11085) (#11086) providers/oauth2: audit_ignore last_login change for generated service account (#11085) Signed-off-by: Jens Langhammer Co-authored-by: Jens L. --- authentik/enterprise/apps.py | 2 +- authentik/providers/oauth2/views/token.py | 27 ++++++++++--------- .../providers/oauth2/client_credentials.md | 3 ++- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/authentik/enterprise/apps.py b/authentik/enterprise/apps.py index e62f317a7c76..31d6eba9a117 100644 --- a/authentik/enterprise/apps.py +++ b/authentik/enterprise/apps.py @@ -25,4 +25,4 @@ def check_enabled(self): """Actual enterprise check, cached""" from authentik.enterprise.license import LicenseKey - return LicenseKey.cached_summary().status + return LicenseKey.cached_summary().status.is_valid diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index 70ba0afd155d..c42225d0af04 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -433,20 +433,21 @@ def __post_init_client_credentials_generated(self, request: HttpRequest): app = Application.objects.filter(provider=self.provider).first() if not app or not app.provider: raise TokenError("invalid_grant") - self.user, _ = User.objects.update_or_create( - # trim username to ensure the entire username is max 150 chars - # (22 chars being the length of the "template") - username=f"ak-{self.provider.name[:150-22]}-client_credentials", - defaults={ - "attributes": { - USER_ATTRIBUTE_GENERATED: True, + with audit_ignore(): + self.user, _ = User.objects.update_or_create( + # trim username to ensure the entire username is max 150 chars + # (22 chars being the length of the "template") + username=f"ak-{self.provider.name[:150-22]}-client_credentials", + defaults={ + "attributes": { + USER_ATTRIBUTE_GENERATED: True, + }, + "last_login": timezone.now(), + "name": f"Autogenerated user from application {app.name} (client credentials)", + "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}", + "type": UserTypes.SERVICE_ACCOUNT, }, - "last_login": timezone.now(), - "name": f"Autogenerated user from application {app.name} (client credentials)", - "path": f"{USER_PATH_SYSTEM_PREFIX}/apps/{app.slug}", - "type": UserTypes.SERVICE_ACCOUNT, - }, - ) + ) self.__check_policy_access(app, request) Event.new( diff --git a/website/docs/providers/oauth2/client_credentials.md b/website/docs/providers/oauth2/client_credentials.md index 95ca1c5695ec..1169ea38d190 100644 --- a/website/docs/providers/oauth2/client_credentials.md +++ b/website/docs/providers/oauth2/client_credentials.md @@ -18,7 +18,8 @@ Content-Type: application/x-www-form-urlencoded grant_type=client_credentials& client_id=application_client_id& username=my-service-account& -password=my-token +password=my-token& +scope=profile ``` This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along requests to other hosts, which can then validate the JWT based on the signing key configured in authentik.