eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-25 17:15:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
21,729 Commits 321 Branches 440 Tags
b5a92b783f839b4fa9548aece650831ca801a039
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Sai Asish Y b5a92b783f providers/oauth2: require client_secret on device_code exchange for confidential clients (#21700) 
* providers/oauth2: require client_secret on device_code exchange for confidential clients

TokenParams.__post_init__ only ran the client_secret check for the
authorization_code and refresh_token grant types:

	if self.grant_type in [GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN]:
		if self.provider.client_type == ClientTypes.CONFIDENTIAL and not compare_digest(
			self.provider.client_secret, self.client_secret,
		):
			raise TokenError("invalid_client")

The device_code path (__post_init_device_code) then looked up the
DeviceToken solely by device_code and issued an access token if one
matched. A caller that knows the client_id and has stolen a
device_code (e.g. via the standard phishing flow: attacker starts
device authorization, sends user_code to a victim, victim completes
authorization, attacker redeems the device_code) did not have to
prove ownership of the confidential client.

RFC 6749 Section 2.3.1 requires confidential clients to authenticate
to the token endpoint, and RFC 8628 Section 3.4 inherits that: the
device_code is bearer-shaped but not a substitute for client
credentials. Keycloak and Okta both enforce client_secret on the
device token exchange for confidential clients; we didn't.

Add GRANT_TYPE_DEVICE_CODE to the list so the existing compare_digest
check runs for it too. Public clients are unaffected (the guard is
gated on ClientTypes.CONFIDENTIAL). client_credentials/password keep
their own client-auth path in __post_init_client_credentials, which
also enforces the secret (and supports client assertion).

Fixes #20828

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>

* Apply suggestion from @BeryJu

Signed-off-by: Jens L. <jens@beryju.org>

* update tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
Signed-off-by: Jens L. <jens@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com>
Co-authored-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2026-04-24 17:23:36 +02:00
.cargo
packages/ak-common/config: init (#21256)
2026-04-02 15:05:35 +02:00
.github
ci: bump calibreapp/image-actions from 4f7260f5dbd809ec86d03721c1ad71b8a841d3e0 to e2cc8db5d49c849e00844dfebf01438318e96fa2 (#21812)
2026-04-24 11:39:34 +01:00
.vscode
core, web: Vendored client follow-ups (#21174)
2026-03-26 18:33:24 +01:00
authentik
providers/oauth2: require client_secret on device_code exchange for confidential clients (#21700)
2026-04-24 17:23:36 +02:00
blueprints
core: complete rework to oobe and setup experience (#21753)
2026-04-24 14:47:05 +02:00
cmd
root: allow listening on multiple IPs (#20930)
2026-03-19 15:46:47 +00:00
internal
internal/outpost: serialize websocket writes to prevent panic (#21728)
2026-04-23 02:33:10 +02:00
lifecycle
lifecycle/container: allow cross-compilation from arm64 to amd64 (#21817)
2026-04-24 17:00:46 +02:00
locale
stages/user_write: refuse to write id/pk claims onto the user model (#21667)
2026-04-23 11:03:12 +02:00
packages
flows: add warning message for expired password reset links (#21395)
2026-04-22 15:09:05 +02:00
schemas
enterprise/providers: WS-Federation (#19583)
2026-01-28 17:43:16 +01:00
scripts
scripts/api_filter_schema: fix authentication (#21644)
2026-04-16 16:19:32 +00:00
tests
core: complete rework to oobe and setup experience (#21753)
2026-04-24 14:47:05 +02:00
web
web: bump @sentry/browser from 10.48.0 to 10.49.0 in /web in the sentry group across 1 directory (#21810)
2026-04-24 11:39:43 +01:00
website
enterprise/endpoints/connectors: Fleet conditional access stage (#20978)
2026-04-24 16:17:00 +02:00
.dockerignore
packages/ak-lib: init (#21257)
2026-03-31 11:33:46 +02:00
.editorconfig
website: add netlify cache plugin (#15113)
2025-06-18 15:07:15 +02:00
.gitattributes
packages/django-dramatiq-postgres: fix default value for HTTPServerThread (#21216)
2026-03-28 20:57:46 +01:00
.gitignore
root: cleanup API generation (#21172)
2026-03-26 13:48:01 +00:00
.prettierignore
core, web: Vendored client follow-ups (#21174)
2026-03-26 18:33:24 +01:00
Cargo.lock
core: bump rustls from 0.23.38 to 0.23.39 (#21802)
2026-04-23 14:18:04 +00:00
Cargo.toml
core: bump rustls from 0.23.38 to 0.23.39 (#21802)
2026-04-23 14:18:04 +00:00
CODE_OF_CONDUCT.md
website: remove the last updated option from footer (#13493)
2025-03-12 18:59:21 +00:00
CODEOWNERS
packages/ak-lib: init (#21257)
2026-03-31 11:33:46 +02:00
CONTRIBUTING.md
root: clean up README (#16286)
2025-09-02 21:38:53 +00:00
cspell.config.jsonc
policies/event_matcher: Add query option to filter events (#21618)
2026-04-16 01:52:11 +02:00
go.mod
core: bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1 in the go_modules group across 1 directory (#21807)
2026-04-24 11:39:57 +01:00
go.sum
core: bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1 in the go_modules group across 1 directory (#21807)
2026-04-24 11:39:57 +01:00
LICENSE
enterprise: initial license (#5293)
2023-04-19 16:13:45 +02:00
Makefile
packages/clients: only generate needed endpoints (#21578)
2026-04-15 13:11:25 +00:00
manage.py
*: replace Celery with Dramatiq (#13492)
2025-07-28 17:00:09 +02:00
package-lock.json
web: bump cspell from 9.7.0 to 10.0.0 (#21427)
2026-04-07 15:15:53 +01:00
package.json
web: bump cspell from 9.7.0 to 10.0.0 (#21427)
2026-04-07 15:15:53 +01:00
pyproject.toml
core: bump pydantic from 2.13.2 to 2.13.3 (#21809)
2026-04-24 11:39:48 +01:00
README.md
root: Fix transifex link (#17696)
2025-10-24 19:01:42 +02:00
rust-toolchain.toml
core: bump rust-toolchain from 1.94.1 to 1.95.0 (#21660)
2026-04-17 23:48:49 +01:00
schema.yml
flows: add warning message for expired password reset links (#21395)
2026-04-22 15:09:05 +02:00
SECURITY.md
security: add item to intended behavior section of security policy (#21430)
2026-04-07 13:00:26 +02:00
tsconfig.json
core, web: Vendored client follow-ups (#21174)
2026-03-26 18:33:24 +01:00
uv.lock
core: bump pydantic from 2.13.2 to 2.13.3 (#21809)
2026-04-24 11:39:48 +01:00

README.md

authentik logo

Join Discord GitHub Workflow Status GitHub Workflow Status GitHub Workflow Status Code Coverage Latest version

What is authentik?

authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.

Our enterprise offering is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.

Installation

  • Docker Compose: recommended for small/test setups. See the documentation.
  • Kubernetes (Helm Chart): recommended for larger setups. See the documentation and the Helm chart repository.
  • AWS CloudFormation: deploy on AWS using our official templates. See the documentation.
  • DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the app listing.

Screenshots

Light Dark

Development and contributions

See the Developer Documentation for information about setting up local build environments, testing your contributions, and our contribution process.

Security

Please see SECURITY.md.

Adoption

Using authentik? We'd love to hear your story and feature your logo. Email us at hello@goauthentik.io or open a GitHub Issue/PR!

License

MIT License CC BY-SA 4.0 authentik EE License

Reference in New Issue View Git Blame Copy Permalink
Description
Mirrored from GitHub
Readme MIT 959 MiB
Languages
Python 54.9%
TypeScript 34.9%
Go 4.4%
CSS 2.1%
JavaScript 1.5%
Other 2.1%