From e2df658d8861459b6a388fc0cc8203e116ce9a68 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Thu, 4 Dec 2025 00:09:07 +0100
Subject: [PATCH] endpoints/stage: v2.1, fix asymmetric token exchange and
 missing form input (#18547)

* fix oauth federated providers not configurable

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix federated auth not working with asymmetric keys

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../endpoints/connectors/agent/auth.py        |  2 +-
 .../agent/tests/test_connector_auth_fed.py    |  6 +++--
 .../connectors/agent/AgentConnectorForm.ts    | 22 +++++++++++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/authentik/enterprise/endpoints/connectors/agent/auth.py b/authentik/enterprise/endpoints/connectors/agent/auth.py
index eb5207adad..ae35e94a7e 100644
--- a/authentik/enterprise/endpoints/connectors/agent/auth.py
+++ b/authentik/enterprise/endpoints/connectors/agent/auth.py
@@ -55,7 +55,7 @@ def agent_auth_fed_validate(
     try:
         decode(
             raw_token,
-            _key,
+            _key.public_key(),
             algorithms=[_alg],
             options={
                 "verify_aud": False,
diff --git a/authentik/enterprise/endpoints/connectors/agent/tests/test_connector_auth_fed.py b/authentik/enterprise/endpoints/connectors/agent/tests/test_connector_auth_fed.py
index d81c1bcff3..74c3f55a0f 100644
--- a/authentik/enterprise/endpoints/connectors/agent/tests/test_connector_auth_fed.py
+++ b/authentik/enterprise/endpoints/connectors/agent/tests/test_connector_auth_fed.py
@@ -7,7 +7,7 @@ from rest_framework.test import APITestCase
 
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group
-from authentik.core.tests.utils import create_test_user
+from authentik.core.tests.utils import create_test_cert, create_test_user
 from authentik.endpoints.connectors.agent.api.connectors import AgentDeviceConnection
 from authentik.endpoints.connectors.agent.models import AgentConnector, EnrollmentToken
 from authentik.endpoints.models import Device, DeviceAccessGroup
@@ -30,7 +30,9 @@ class TestConnectorAuthFed(APITestCase):
             connector=self.connector,
         )
         self.user = create_test_user()
-        self.provider = OAuth2Provider.objects.create(name=generate_id())
+        self.provider = OAuth2Provider.objects.create(
+            name=generate_id(), signing_key=create_test_cert()
+        )
         self.raw_token = self.provider.encode({"foo": "bar"})
         self.token = AccessToken.objects.create(
             provider=self.provider, user=self.user, token=self.raw_token, auth_time=now()
diff --git a/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts b/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts
index 09204dc32b..97b7c6178f 100644
--- a/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts
+++ b/web/src/admin/endpoints/connectors/agent/AgentConnectorForm.ts
@@ -14,6 +14,10 @@ import { WithBrandConfig } from "#elements/mixins/branding";
 import { ifPresent } from "#elements/utils/attributes";
 
 import { gidStartNumberHelp, uidStartNumberHelp } from "#admin/providers/ldap/LDAPOptionsAndHelp";
+import {
+    oauth2ProvidersProvider,
+    oauth2ProvidersSelector,
+} from "#admin/providers/oauth2/OAuth2ProvidersProvider";
 
 import {
     AgentConnector,
@@ -132,6 +136,24 @@ export class AgentConnectorForm extends WithBrandConfig(ModelForm<AgentConnector
                             >
                         </label>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal
+                        label=${msg("Federated OIDC Providers")}
+                        name="jwtFederationProviders"
+                    >
+                        <ak-dual-select-dynamic-selected
+                            .provider=${oauth2ProvidersProvider}
+                            .selector=${oauth2ProvidersSelector(
+                                this.instance?.jwtFederationProviders,
+                            )}
+                            available-label=${msg("Available Providers")}
+                            selected-label=${msg("Selected Providers")}
+                        ></ak-dual-select-dynamic-selected>
+                        <p class="pf-c-form__helper-text">
+                            ${msg(
+                                "JWTs signed by the selected providers can be used to authenticate to devices.",
+                            )}
+                        </p>
+                    </ak-form-element-horizontal>
                 </div>
             </ak-form-group>
             <ak-form-group label="${msg("Device compliance settings")}">