feat: configure authentik member oidc and local dev token compatibility

2026-03-30 00:34:59 +08:00
parent 06d78fbec2
commit cb8e72ccc7
7 changed files with 71 additions and 31 deletions
--- a/app/security/authentik_jwt.py
+++ b/app/security/authentik_jwt.py
@@ -13,10 +13,17 @@ bearer_scheme = HTTPBearer(auto_error=False)


 class AuthentikTokenVerifier:
-    def __init__(self, issuer: str | None, jwks_url: str | None, audience: str | None) -> None:
+    def __init__(
+        self,
+        issuer: str | None,
+        jwks_url: str | None,
+        audience: str | None,
+        client_secret: str | None,
+    ) -> None:
        self.issuer = issuer.strip() if issuer else None
        self.jwks_url = jwks_url.strip() if jwks_url else self._infer_jwks_url(self.issuer)
        self.audience = audience.strip() if audience else None
+        self.client_secret = client_secret.strip() if client_secret else None

        if not self.jwks_url:
            raise ValueError("AUTHENTIK_JWKS_URL or AUTHENTIK_ISSUER is required")
@@ -34,17 +41,32 @@ class AuthentikTokenVerifier:

    def verify_access_token(self, token: str) -> AuthentikPrincipal:
        try:
-            signing_key = self._jwk_client.get_signing_key_from_jwt(token)
+            header = jwt.get_unverified_header(token)
+            algorithm = str(header.get("alg", "")).upper()
            options = {
                "verify_signature": True,
                "verify_exp": True,
                "verify_aud": bool(self.audience),
                "verify_iss": bool(self.issuer),
            }
+
+            if algorithm.startswith("HS"):
+                if not self.client_secret:
+                    raise HTTPException(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail="missing_authentik_client_secret",
+                    )
+                key = self.client_secret
+                allowed_algorithms = ["HS256", "HS384", "HS512"]
+            else:
+                signing_key = self._jwk_client.get_signing_key_from_jwt(token)
+                key = signing_key.key
+                allowed_algorithms = ["RS256", "RS384", "RS512"]
+
            claims = jwt.decode(
                token,
-                signing_key.key,
-                algorithms=["RS256", "RS384", "RS512"],
+                key,
+                algorithms=allowed_algorithms,
                audience=self.audience,
                issuer=self.issuer,
                options=options,
@@ -71,6 +93,7 @@ def _get_verifier() -> AuthentikTokenVerifier:
        issuer=settings.authentik_issuer,
        jwks_url=settings.authentik_jwks_url,
        audience=settings.authentik_audience,
+        client_secret=settings.authentik_client_secret,
    )