refactor(keycloak): remove authentik naming and switch to keycloak-only paths
This commit is contained in:
Chris
@@ -5,60 +5,18 @@ import httpx
|
||||
from fastapi import APIRouter, HTTPException, status
|
||||
|
||||
from app.core.config import get_settings
|
||||
from app.schemas.login import (
|
||||
LoginRequest,
|
||||
LoginResponse,
|
||||
OIDCAuthUrlResponse,
|
||||
OIDCCodeExchangeRequest,
|
||||
)
|
||||
from app.schemas.login import LoginRequest, LoginResponse, OIDCAuthUrlResponse, OIDCCodeExchangeRequest
|
||||
|
||||
router = APIRouter(prefix="/auth", tags=["auth"])
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def _resolve_username_by_email(settings, email: str) -> str | None:
|
||||
# Authentik-only helper. Keycloak does not need this path.
|
||||
if settings.use_keycloak:
|
||||
return None
|
||||
if not settings.authentik_base_url or not settings.authentik_admin_token:
|
||||
return None
|
||||
|
||||
url = urljoin(settings.authentik_base_url.rstrip("/") + "/", "api/v3/core/users/")
|
||||
try:
|
||||
resp = httpx.get(
|
||||
url,
|
||||
params={"email": email},
|
||||
timeout=10,
|
||||
verify=settings.authentik_verify_tls,
|
||||
headers={
|
||||
"Authorization": f"Bearer {settings.authentik_admin_token}",
|
||||
"Accept": "application/json",
|
||||
},
|
||||
)
|
||||
except Exception:
|
||||
return None
|
||||
|
||||
if resp.status_code >= 400:
|
||||
return None
|
||||
|
||||
data = resp.json()
|
||||
results = data.get("results") if isinstance(data, dict) else None
|
||||
if not isinstance(results, list) or not results:
|
||||
return None
|
||||
|
||||
username = results[0].get("username")
|
||||
return username if isinstance(username, str) and username else None
|
||||
|
||||
|
||||
@router.post("/login", response_model=LoginResponse)
|
||||
def login(payload: LoginRequest) -> LoginResponse:
|
||||
settings = get_settings()
|
||||
client_id = settings.idp_client_id or settings.idp_audience
|
||||
|
||||
if not settings.idp_base_url or not client_id or not settings.idp_client_secret:
|
||||
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured")
|
||||
|
||||
token_endpoint = settings.idp_token_endpoint
|
||||
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="idp_login_not_configured")
|
||||
|
||||
form = {
|
||||
"grant_type": "password",
|
||||
@@ -68,31 +26,16 @@ def login(payload: LoginRequest) -> LoginResponse:
|
||||
"password": payload.password,
|
||||
"scope": "openid profile email",
|
||||
}
|
||||
|
||||
def _token_request(form_data: dict[str, str]) -> httpx.Response:
|
||||
try:
|
||||
resp = httpx.post(
|
||||
token_endpoint,
|
||||
data=form_data,
|
||||
settings.idp_token_endpoint,
|
||||
data=form,
|
||||
timeout=10,
|
||||
verify=settings.idp_verify_tls,
|
||||
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
||||
)
|
||||
return resp
|
||||
|
||||
try:
|
||||
resp = _token_request(form)
|
||||
except Exception as exc:
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc
|
||||
|
||||
# If user entered email, try resolving username and retry once.
|
||||
if resp.status_code >= 400 and "@" in payload.username:
|
||||
resolved = _resolve_username_by_email(settings, payload.username)
|
||||
if resolved and resolved != payload.username:
|
||||
form["username"] = resolved
|
||||
try:
|
||||
resp = _token_request(form)
|
||||
except Exception as exc:
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_unreachable") from exc
|
||||
|
||||
if resp.status_code >= 400:
|
||||
logger.warning("idp password grant failed: status=%s body=%s", resp.status_code, resp.text)
|
||||
@@ -101,8 +44,7 @@ def login(payload: LoginRequest) -> LoginResponse:
|
||||
data = resp.json()
|
||||
token = data.get("access_token")
|
||||
if not token:
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_missing_access_token")
|
||||
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_missing_access_token")
|
||||
return LoginResponse(
|
||||
access_token=token,
|
||||
token_type=data.get("token_type", "Bearer"),
|
||||
@@ -123,28 +65,26 @@ def get_oidc_authorize_url(
|
||||
settings = get_settings()
|
||||
client_id = settings.idp_client_id or settings.idp_audience
|
||||
if not settings.idp_base_url or not client_id:
|
||||
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured")
|
||||
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="idp_login_not_configured")
|
||||
|
||||
authorize_endpoint = settings.idp_authorize_endpoint
|
||||
state = secrets.token_urlsafe(24)
|
||||
query = {
|
||||
"client_id": client_id,
|
||||
"response_type": "code",
|
||||
"scope": "openid profile email",
|
||||
"redirect_uri": redirect_uri,
|
||||
"state": state,
|
||||
"state": secrets.token_urlsafe(24),
|
||||
"prompt": prompt or "login",
|
||||
}
|
||||
if login_hint:
|
||||
query["login_hint"] = login_hint
|
||||
if idp_hint and settings.use_keycloak:
|
||||
if idp_hint:
|
||||
query["kc_idp_hint"] = idp_hint
|
||||
if code_challenge:
|
||||
query["code_challenge"] = code_challenge
|
||||
query["code_challenge_method"] = code_challenge_method or "S256"
|
||||
|
||||
params = httpx.QueryParams(query)
|
||||
return OIDCAuthUrlResponse(authorize_url=f"{authorize_endpoint}?{params}")
|
||||
return OIDCAuthUrlResponse(authorize_url=f"{settings.idp_authorize_endpoint}?{params}")
|
||||
|
||||
|
||||
@router.post("/oidc/exchange", response_model=LoginResponse)
|
||||
@@ -152,9 +92,8 @@ def exchange_oidc_code(payload: OIDCCodeExchangeRequest) -> LoginResponse:
|
||||
settings = get_settings()
|
||||
client_id = settings.idp_client_id or settings.idp_audience
|
||||
if not settings.idp_base_url or not client_id or not settings.idp_client_secret:
|
||||
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured")
|
||||
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="idp_login_not_configured")
|
||||
|
||||
token_endpoint = settings.idp_token_endpoint
|
||||
form = {
|
||||
"grant_type": "authorization_code",
|
||||
"client_id": client_id,
|
||||
@@ -167,24 +106,23 @@ def exchange_oidc_code(payload: OIDCCodeExchangeRequest) -> LoginResponse:
|
||||
|
||||
try:
|
||||
resp = httpx.post(
|
||||
token_endpoint,
|
||||
settings.idp_token_endpoint,
|
||||
data=form,
|
||||
timeout=10,
|
||||
verify=settings.idp_verify_tls,
|
||||
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
||||
)
|
||||
except Exception as exc:
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_unreachable") from exc
|
||||
|
||||
if resp.status_code >= 400:
|
||||
logger.warning("idp auth-code exchange failed: status=%s body=%s", resp.status_code, resp.text)
|
||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="authentik_code_exchange_failed")
|
||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="idp_code_exchange_failed")
|
||||
|
||||
data = resp.json()
|
||||
token = data.get("access_token")
|
||||
if not token:
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_missing_access_token")
|
||||
|
||||
raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_missing_access_token")
|
||||
return LoginResponse(
|
||||
access_token=token,
|
||||
token_type=data.get("token_type", "Bearer"),
|
||||
|
||||
Reference in New Issue
Block a user