endpoints/stage: v2.1, fix asymmetric token exchange and missing form input (#18547)

* fix oauth federated providers not configurable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix federated auth not working with asymmetric keys Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2026-06-17 19:09:11 +03:00 · 2025-12-04 00:09:07 +01:00
parent 302898a00a
commit e2df658d88
3 changed files with 27 additions and 3 deletions
@@ -55,7 +55,7 @@ def agent_auth_fed_validate(
    try:
        decode(
            raw_token,
-            _key,
+            _key.public_key(),
            algorithms=[_alg],
            options={
                "verify_aud": False,
@@ -7,7 +7,7 @@ from rest_framework.test import APITestCase

 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group
-from authentik.core.tests.utils import create_test_user
+from authentik.core.tests.utils import create_test_cert, create_test_user
 from authentik.endpoints.connectors.agent.api.connectors import AgentDeviceConnection
 from authentik.endpoints.connectors.agent.models import AgentConnector, EnrollmentToken
 from authentik.endpoints.models import Device, DeviceAccessGroup
@@ -30,7 +30,9 @@ class TestConnectorAuthFed(APITestCase):
            connector=self.connector,
        )
        self.user = create_test_user()
-        self.provider = OAuth2Provider.objects.create(name=generate_id())
+        self.provider = OAuth2Provider.objects.create(
+            name=generate_id(), signing_key=create_test_cert()
+        )
        self.raw_token = self.provider.encode({"foo": "bar"})
        self.token = AccessToken.objects.create(
            provider=self.provider, user=self.user, token=self.raw_token, auth_time=now()
@@ -14,6 +14,10 @@ import { WithBrandConfig } from "#elements/mixins/branding";
 import { ifPresent } from "#elements/utils/attributes";

 import { gidStartNumberHelp, uidStartNumberHelp } from "#admin/providers/ldap/LDAPOptionsAndHelp";
+import {
+    oauth2ProvidersProvider,
+    oauth2ProvidersSelector,
+} from "#admin/providers/oauth2/OAuth2ProvidersProvider";

 import {
    AgentConnector,
@@ -132,6 +136,24 @@ export class AgentConnectorForm extends WithBrandConfig(ModelForm<AgentConnector
                            >
                        </label>
                    </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Federated OIDC Providers")}
+                        name="jwtFederationProviders"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${oauth2ProvidersProvider}
+                            .selector=${oauth2ProvidersSelector(
+                                this.instance?.jwtFederationProviders,
+                            )}
+                            available-label=${msg("Available Providers")}
+                            selected-label=${msg("Selected Providers")}
+                        ></ak-dual-select-dynamic-selected>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "JWTs signed by the selected providers can be used to authenticate to devices.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                </div>
            </ak-form-group>
            <ak-form-group label="${msg("Device compliance settings")}">