8000 fix: add missing parameters to Authentik OAuth2 token requests by Vansh5632 · Pull Request #9869 · appwrite/appwrite · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: add missing parameters to Authentik OAuth2 token requests #9869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: add missing parameters to Authentik OAuth2 token requests #9869

wants to merge 1 commit into from

Conversation

Vansh5632
Copy link
@Vansh5632 Vansh5632 commented May 23, 2025
edited
Loading

Description

This PR fixes a critical bug in the Authentik OAuth2 provider where required parameters were missing in token requests.
Fixes: #9567

Issues Fixed

  • The getTokens() method was missing the code parameter in the HTTP request body
  • The refreshTokens() method was missing the refresh_token parameter in the HTTP request body

Changes Made

  1. Added the missing code parameter to the token request in getTokens()
  2. Added the missing refresh_token parameter to the token request in refreshTokens()
  3. Added comprehensive unit tests to verify both fixes and prevent regression

Test Coverage

The new test cases verify:

  • The code parameter is correctly included in token requests
  • The refresh_token parameter is correctly included in refresh requests
  • The original refresh token is preserved when not returned in the response
  • The login URL is correctly constructed

Checklist

  • Code follows PSR-12 coding standards (run through formatter)
  • Added tests that verify the fix
  • All tests are passing

Summary by CodeRabbit

  • Bug Fixes

    • Improved OAuth2 login URL formatting for more reliable authentication with the Authentik provider.

  • Tests

    • Added comprehensive unit tests for OAuth2 token handling and login URL generation with the Authentik provider.

@Vansh5632
fix: add missing parameters to Authentik OAuth2 token requests
1d43539 
This commit fixes the Authentik OAuth2 provider by:
- Adding the missing 'code' parameter in getTokens() method
- Adding the missing 'refresh_token' parameter in refreshTokens() method

Without these parameters, authentication and token refresh would fail.
Added unit tests to verify the fix and prevent regression.
@coderabbitai coderabbitai
Copy link
coderabbitai bot commented May 23, 2025
edited
Loading

Walkthrough

The update modifies the OAuth2 authorization endpoint in the Authentik provider by adding a trailing slash to the /authorize path within the getLoginURL() method. Additionally, a new PHPUnit test class is introduced to verify the correctness of token handling and URL generation for the Authentik OAuth2 implementation.

Changes

File(s) Change Summary
src/Appwrite/Auth/OAuth2/Authentik.php Modified the getLoginURL() method to append a trailing slash to the OAuth2 /authorize endpoint URL.
tests/unit/Auth/OAuth2/AuthentikTest.php Added a new PHPUnit test class to validate token handling and login URL generation for Authentik OAuth2.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant AuthentikProvider
    participant OAuth2Server

    User->>AuthentikProvider: Request login URL
    AuthentikProvider->>OAuth2Server: Redirect to /application/o/authorize/? with params
    OAuth2Server-->>User: OAuth2 consent screen
    User->>OAuth2Server: Authorize
    OAuth2Server-->>AuthentikProvider: Redirect with code
    AuthentikProvider->>OAuth2Server: Exchange code for tokens
    OAuth2Server-->>AuthentikProvider: Return access & refresh tokens
Loading

Poem

A rabbit hopped to fix a slash,
In login URLs—quick as a flash!
With new tests to keep things tight,
Tokens handled just right.
Now Authentik's flow is sure to dash—
OAuth2 journeys, free of crash!
🐇✨

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need he 8000 lp? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed May 23, 2025
View reviewed changes
Copy link
@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
tests/unit/Auth/OAuth2/AuthentikTest.php (2)

26-64: LGTM: Comprehensive test for code parameter inclusion.

The test effectively verifies that the code parameter is included in the token request using appropriate mocking and reflection techniques. The callback validation ensures the parameter is correctly passed to the HTTP request.

Consider enhancing the validation to check for all required parameters in the token request:

 $this->callback(function ($queryString) {
     parse_str($queryString, $params);
-    return isset($params['code']) && $params['code'] === 'test-code';
+    $requiredParams = ['code', 'client_id', 'client_secret', 'redirect_uri', 'grant_type'];
+    foreach ($requiredParams as $param) {
+        if (!isset($params[$param])) {
+            return false;
+        }
+    }
+    return $params['code'] === 'test-code';
 })

136-146: LGTM: Validates URL generation with proper OAuth parameters.

The test correctly verifies that the login URL includes all necessary OAuth parameters and confirms the trailing slash addition in the authorization endpoint.

Consider enhancing the URL validation for more robust parameter checking:

 public function testGetLoginURL(): void
 {
     $authentik = new Authentik($this->appId, $this->appSecret, $this->callback);
     $loginUrl = $authentik->getLoginURL();
 
-    // Check that the URL contains the necessary parameters
-    $this->assertStringContainsString('client_id=' . $this->appId, $loginUrl);
-    $this->assertStringContainsString('redirect_uri=' . urlencode($this->callback), $loginUrl);
-    $this->assertStringContainsString('response_type=code', $loginUrl);
-    $this->assertStringContainsString('https://authentik.example.com/application/o/authorize/', $loginUrl);
+    // Parse URL and validate parameters
+    $parsedUrl = parse_url($loginUrl);
+    parse_str($parsedUrl['query'], $params);
+    
+    $this->assertEquals('https://authentik.example.com/application/o/authorize/', 
+        $parsedUrl['scheme'] . '://' . $parsedUrl['host'] . $parsedUrl['path']);
+    $this->assertEquals($this->appId, $params['client_id']);
+    $this->assertEquals($this->callback, $params['redirect_uri']);
+    $this->assertEquals('code', $params['response_type']);
+    $this->assertArrayHasKey('scope', $params);
+    $this->assertArrayHasKey('state', $params);
 }
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 39d45bd and 1d43539.

📒 Files selected for processing (2)
  • src/Appwrite/Auth/OAuth2/Authentik.php (1 hunks)
  • tests/unit/Auth/OAuth2/AuthentikTest.php (1 hunks)
🔇 Additional comments (4)
src/Appwrite/Auth/OAuth2/Authentik.php (1)

45-45: LGTM: URL standardization improves API compatibility.

The addition of the trailing slash to the authorization endpoint URL is a good practice that ensures compatibility with Authentik's OAuth2 implementation, as some providers require specific URL formatting.

Note: There's an inconsistency between the PR objectives and the visible changes. The PR objectives mention adding missing code and refresh_token parameters to the getTokens() and refreshTokens() methods, but these parameters are already present in the code (lines 68 and 94 respectively). Only the trailing slash addition is marked as a change.

Likely an incorrect or invalid review comment.

tests/unit/Auth/OAuth2/AuthentikTest.php (3)

10-21: LGTM: Well-structured test setup.

The test setup correctly initializes the required configuration with proper JSON structure for the appSecret that includes both clientSecret and authentikDomain as expected by the Authentik OAuth2 provider.

69-103: LGTM: Proper validation of refresh token parameter inclusion.

The test correctly verifies that the refresh_token parameter is included in the refresh request. The mocking approach is consistent and the assertions validate the expected response structure.

108-131: LGTM: Critical edge case testing for token preservation.

This test covers an important scenario where the OAuth provider doesn't return a new refresh token in the response. The verification that the original refresh token is preserved is crucial for maintaining authentication sessions and prevents token loss.

@github-actions GitHub Actions
Copy link

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
binutils 2.42-r0 CVE-2025-0840 HIGH
libexpat 2.6.4-r0 CVE-2024-8176 HIGH
libxml2 2.12.7-r0 CVE-2024-56171 HIGH
libxml2 2.12.7-r0 CVE-2025-24928 HIGH
libxml2 2.12.7-r0 CVE-2025-27113 HIGH
libxml2 2.12.7-r0 CVE-2025-32414 HIGH
libxml2 2.12.7-r0 CVE-2025-32415 HIGH
sqlite-libs 3.45.3-r1 CVE-2025-29087 HIGH
xz 5.6.2-r0 CVE-2025-31115 HIGH
xz-libs 5.6.2-r0 CVE-2025-31115 HIGH
golang.org/x/crypto v0.31.0 CVE-2025-22869 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

🐛 Bug Report: Wrong authentik auth URL
1 participant
@Vansh5632
0