remove manual sid extraction from proxy, add test, make session key h…

…ashing more obvious

Signed-off-by: Jens Langhammer <[email protected]>

authentik/providers/oauth2/id_token.py

@@ -24,8 +24,13 @@
     from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider
 
 
+def hash_session_key(session_key: str) -> str:
+    """Hash the session key for inclusion in JWTs as `sid`"""
+    return sha256(session_key.encode("ascii")).hexdigest()
+
+
 class SubModes(models.TextChoices):
-    """Mode after which 'sub' attribute is generateed, for compatibility reasons"""
+    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
 
     HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
     USER_ID = "user_id", _("Based on user ID")
@@ -120,7 +125,8 @@ def new(
         now = timezone.now()
         id_token.iat = int(now.timestamp())
         id_token.auth_time = int(token.auth_time.timestamp())
-        id_token.sid = sha256(token.session.session_key.encode("ascii")).hexdigest()
+        if token.session:
+            id_token.sid = hash_session_key(token.session.session_key)
 
         # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
         auth_event = get_login_event(token.session)

authentik/providers/proxy/tasks.py

@@ -1,13 +1,13 @@
 """proxy provider tasks"""
 
-from hashlib import sha256
 
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.db import DatabaseError, InternalError, ProgrammingError
 
 from authentik.outposts.consumer import OUTPOST_GROUP
 from authentik.outposts.models import Outpost, OutpostType
+from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.root.celery import CELERY_APP
 
@@ -26,7 +26,7 @@ def proxy_set_defaults():
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""
     layer = get_channel_layer()
-    hashed_session_id = sha256(session_id.encode("ascii")).hexdigest()
+    hashed_session_id = hash_session_key(session_id)
     for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
         group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
         async_to_sync(layer.group_send)(

blueprints/system/providers-proxy.yaml

@@ -14,11 +14,7 @@ entries:
       expression: |
         # This mapping is used by the authentik proxy. It passes extra user attributes,
         # which are used for example for the HTTP-Basic Authentication mapping.
-        session_id = None
-        if "token" in request.context:
-            session_id = request.context.get("token").session_id
         return {
-            "sid": session_id,
             "ak_proxy": {
                 "user_attributes": request.user.group_attributes(request),
                 "is_superuser": request.user.is_superuser,

tests/e2e/test_provider_proxy.py

@@ -8,6 +8,7 @@
 from unittest.case import skip, skipUnless
 
 from channels.testing import ChannelsLiveServerTestCase
+from jwt import decode
 from selenium.webdriver.common.by import By
 
 from authentik.blueprints.tests import apply_blueprint, reconcile_app
@@ -107,6 +108,11 @@ def test_proxy_simple(self):
 
         self.assertEqual(body["headers"]["X-Authentik-Username"], [self.user.username])
         self.assertEqual(body["headers"]["X-Foo"], ["bar"])
+        raw_jwt: str = body["headers"]["X-Authentik-Jwt"][0]
+        jwt = decode(raw_jwt, options={"verify_signature": False})
+
+        self.assertIsNotNone(jwt["sid"])
+        self.assertIsNotNone(jwt["ak_proxy"])
 
         self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
         sleep(2)