fix(auth): correct userinfo endpoint fallback for authentik profile enrichment

2026-03-30 03:13:29 +08:00
parent 5cc322f783
commit 58ea76f8b6
2 changed files with 9 additions and 2 deletions
--- a/.env.development
+++ b/.env.development
@@ -17,6 +17,7 @@ AUTHENTIK_AUDIENCE=gKtjk5ExsITK74I1WG9RkHbylBjoZO83xab7YHiN
 AUTHENTIK_CLIENT_ID=gKtjk5ExsITK74I1WG9RkHbylBjoZO83xab7YHiN
 AUTHENTIK_CLIENT_SECRET=MHTv0SHkIuic9Quk8Br9jB9gzT2bERvRfhHU4ogPlUtY3eBEXJj80RTEp3zpFBUXQ8PAwYrihWfNqKawWUOmKpQd8SwuyiAuVwLJTS7vB3LGvx1XtXqgMhR76EL2mLnP
 AUTHENTIK_TOKEN_ENDPOINT=https://auth.ose.tw/application/o/token/
+AUTHENTIK_USERINFO_ENDPOINT=https://auth.ose.tw/application/o/userinfo/

 PUBLIC_FRONTEND_ORIGINS=http://127.0.0.1:5173,http://localhost:5173
 INTERNAL_SHARED_SECRET=CHANGE_ME
--- a/app/security/authentik_jwt.py
+++ b/app/security/authentik_jwt.py
@@ -50,10 +50,16 @@ class AuthentikTokenVerifier:

    @staticmethod
    def _infer_userinfo_endpoint(issuer: str | None, base_url: str | None) -> str | None:
-        if issuer:
-            return issuer.rstrip("/") + "/userinfo/"
        if base_url:
            return base_url.rstrip("/") + "/application/o/userinfo/"
+        if issuer:
+            normalized = issuer.rstrip("/")
+            marker = "/application/o/"
+            marker_index = normalized.find(marker)
+            if marker_index != -1:
+                root = normalized[:marker_index]
+                return root + marker + "userinfo/"
+            return normalized + "/userinfo/"
        return None

    def _enrich_from_userinfo(self, principal: AuthentikPrincipal, token: str) -> AuthentikPrincipal: