From 58ea76f8b643a8541b274c9c4a92be9e4829a20d Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 30 Mar 2026 03:13:29 +0800 Subject: [PATCH] fix(auth): correct userinfo endpoint fallback for authentik profile enrichment --- .env.development | 1 + app/security/authentik_jwt.py | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.env.development b/.env.development index 2a3b9a3..cbd3a99 100644 --- a/.env.development +++ b/.env.development @@ -17,6 +17,7 @@ AUTHENTIK_AUDIENCE=gKtjk5ExsITK74I1WG9RkHbylBjoZO83xab7YHiN AUTHENTIK_CLIENT_ID=gKtjk5ExsITK74I1WG9RkHbylBjoZO83xab7YHiN AUTHENTIK_CLIENT_SECRET=MHTv0SHkIuic9Quk8Br9jB9gzT2bERvRfhHU4ogPlUtY3eBEXJj80RTEp3zpFBUXQ8PAwYrihWfNqKawWUOmKpQd8SwuyiAuVwLJTS7vB3LGvx1XtXqgMhR76EL2mLnP AUTHENTIK_TOKEN_ENDPOINT=https://auth.ose.tw/application/o/token/ +AUTHENTIK_USERINFO_ENDPOINT=https://auth.ose.tw/application/o/userinfo/ PUBLIC_FRONTEND_ORIGINS=http://127.0.0.1:5173,http://localhost:5173 INTERNAL_SHARED_SECRET=CHANGE_ME diff --git a/app/security/authentik_jwt.py b/app/security/authentik_jwt.py index 737cbf5..af96375 100644 --- a/app/security/authentik_jwt.py +++ b/app/security/authentik_jwt.py @@ -50,10 +50,16 @@ class AuthentikTokenVerifier: @staticmethod def _infer_userinfo_endpoint(issuer: str | None, base_url: str | None) -> str | None: - if issuer: - return issuer.rstrip("/") + "/userinfo/" if base_url: return base_url.rstrip("/") + "/application/o/userinfo/" + if issuer: + normalized = issuer.rstrip("/") + marker = "/application/o/" + marker_index = normalized.find(marker) + if marker_index != -1: + root = normalized[:marker_index] + return root + marker + "userinfo/" + return normalized + "/userinfo/" return None def _enrich_from_userinfo(self, principal: AuthentikPrincipal, token: str) -> AuthentikPrincipal: