Skip to content

Commit

Permalink
add sid claim
Browse files Browse the repository at this point in the history
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
  • Loading branch information
BeryJu committed Oct 23, 2024
1 parent a10b4be commit efb6da3
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 3 deletions.
7 changes: 6 additions & 1 deletion authentik/providers/oauth2/id_token.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
"""id_token utils"""

from dataclasses import asdict, dataclass, field
from hashlib import sha256
from typing import TYPE_CHECKING, Any

from django.db import models
Expand Down Expand Up @@ -51,7 +52,8 @@ class IDToken:
and potentially other requested Claims. The ID Token is represented as a
JSON Web Token (JWT) [JWT].
https://openid.net/specs/openid-connect-core-1_0.html#IDToken"""
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://www.iana.org/assignments/jwt/jwt.xhtml"""

# Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1
iss: str | None = None
Expand Down Expand Up @@ -79,6 +81,8 @@ class IDToken:
nonce: str | None = None
# Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html
at_hash: str | None = None
# Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents
sid: str | None = None

claims: dict[str, Any] = field(default_factory=dict)

Expand Down Expand Up @@ -116,6 +120,7 @@ def new(
now = timezone.now()
id_token.iat = int(now.timestamp())
id_token.auth_time = int(token.auth_time.timestamp())
id_token.sid = sha256(token.session.session_key.encode("ascii")).hexdigest()

# We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
auth_event = get_login_event(token.session)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
from authentik.lib.migrations import progress_bar


def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
AuthenticatedSession = apps.get_model("authentik_core", "authenticatedsession")
AuthorizationCode = apps.get_model("authentik_providers_oauth2", "authorizationcode")
Expand All @@ -19,13 +20,20 @@ def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
for session in progress_bar(AuthenticatedSession.objects.using(db_alias).all()):
session_ids[sha256(session.session_key.encode("ascii")).hexdigest()] = session.session_key
for model in [AuthorizationCode, AccessToken, RefreshToken]:
print(f"\nAdding session to {model._meta.verbose_name}, this might take a couple of minutes...")
print(
f"\nAdding session to {model._meta.verbose_name}, this might take a couple of minutes..."
)
for code in progress_bar(model.objects.using(db_alias).all()):
if code.session_id_old not in session_ids:
continue
code.session = AuthenticatedSession.objects.using(db_alias).filter(session_key=session_ids[code.session_id_old]).first()
code.session = (
AuthenticatedSession.objects.using(db_alias)
.filter(session_key=session_ids[code.session_id_old])
.first()
)
code.save()


class Migration(migrations.Migration):

dependencies = [
Expand Down
1 change: 1 addition & 0 deletions tests/e2e/test_provider_oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ def test_authorization_consent_implied(self):
body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)

self.assertEqual(body["IDTokenClaims"]["nickname"], self.user.username)
self.assertEqual(body["IDTokenClaims"]["amr"], ["pwd"])
self.assertEqual(body["UserInfo"]["nickname"], self.user.username)

self.assertEqual(body["IDTokenClaims"]["name"], self.user.name)
Expand Down

0 comments on commit efb6da3

Please sign in to comment.