authentik.enterprise.providers.scim.api

View Source

 1from datetime import datetime
 2
 3from django.urls import reverse
 4from django.utils.translation import gettext as _
 5from rest_framework.exceptions import ValidationError
 6
 7from authentik.enterprise.license import LicenseKey
 8from authentik.providers.scim.models import SCIMAuthenticationMode, SCIMProvider
 9from authentik.sources.oauth.models import UserOAuthSourceConnection
10
11
12class SCIMProviderSerializerMixin:
13
14    def _get_token(self, instance: SCIMProvider) -> UserOAuthSourceConnection | None:
15        user = instance.auth_oauth_user
16        conn = UserOAuthSourceConnection.objects.filter(
17            user=user, source=instance.auth_oauth
18        ).first()
19        return conn
20
21    def get_auth_oauth_token_last_updated(self, instance: SCIMProvider) -> datetime | None:
22        conn = self._get_token(instance)
23        return conn.last_updated if conn else None
24
25    def get_auth_oauth_token_expires(self, instance: SCIMProvider) -> datetime | None:
26        conn = self._get_token(instance)
27        return conn.expires if conn else None
28
29    def get_auth_oauth_url_callback(self, instance: SCIMProvider) -> str | None:
30        if (
31            instance.auth_mode
32            in [
33                SCIMAuthenticationMode.TOKEN,
34                SCIMAuthenticationMode.OAUTH_SILENT,
35            ]
36            or not instance.backchannel_application
37        ):
38            return None
39        relative_url = reverse(
40            "authentik_enterprise_providers_scim:callback",
41            kwargs={"application_slug": instance.backchannel_application.slug},
42        )
43        if "request" not in self.context:
44            return relative_url
45        return self.context["request"].build_absolute_uri(relative_url)
46
47    def get_auth_oauth_url_start(self, instance: SCIMProvider) -> str | None:
48        if (
49            instance.auth_mode
50            in [
51                SCIMAuthenticationMode.TOKEN,
52                SCIMAuthenticationMode.OAUTH_SILENT,
53            ]
54            or not instance.backchannel_application
55        ):
56            return None
57        relative_url = reverse(
58            "authentik_enterprise_providers_scim:start",
59            kwargs={"application_slug": instance.backchannel_application.slug},
60        )
61        if "request" not in self.context:
62            return relative_url
63        return self.context["request"].build_absolute_uri(relative_url)
64
65    def validate_auth_mode(self, auth_mode: SCIMAuthenticationMode) -> SCIMAuthenticationMode:
66        if auth_mode in [
67            SCIMAuthenticationMode.OAUTH_SILENT,
68            SCIMAuthenticationMode.OAUTH_INTERACTIVE,
69        ]:
70            if not LicenseKey.cached_summary().status.is_valid:
71                raise ValidationError(_("Enterprise is required to use the OAuth mode."))
72        return auth_mode

class SCIMProviderSerializerMixin: View Source

13class SCIMProviderSerializerMixin:
14
15    def _get_token(self, instance: SCIMProvider) -> UserOAuthSourceConnection | None:
16        user = instance.auth_oauth_user
17        conn = UserOAuthSourceConnection.objects.filter(
18            user=user, source=instance.auth_oauth
19        ).first()
20        return conn
21
22    def get_auth_oauth_token_last_updated(self, instance: SCIMProvider) -> datetime | None:
23        conn = self._get_token(instance)
24        return conn.last_updated if conn else None
25
26    def get_auth_oauth_token_expires(self, instance: SCIMProvider) -> datetime | None:
27        conn = self._get_token(instance)
28        return conn.expires if conn else None
29
30    def get_auth_oauth_url_callback(self, instance: SCIMProvider) -> str | None:
31        if (
32            instance.auth_mode
33            in [
34                SCIMAuthenticationMode.TOKEN,
35                SCIMAuthenticationMode.OAUTH_SILENT,
36            ]
37            or not instance.backchannel_application
38        ):
39            return None
40        relative_url = reverse(
41            "authentik_enterprise_providers_scim:callback",
42            kwargs={"application_slug": instance.backchannel_application.slug},
43        )
44        if "request" not in self.context:
45            return relative_url
46        return self.context["request"].build_absolute_uri(relative_url)
47
48    def get_auth_oauth_url_start(self, instance: SCIMProvider) -> str | None:
49        if (
50            instance.auth_mode
51            in [
52                SCIMAuthenticationMode.TOKEN,
53                SCIMAuthenticationMode.OAUTH_SILENT,
54            ]
55            or not instance.backchannel_application
56        ):
57            return None
58        relative_url = reverse(
59            "authentik_enterprise_providers_scim:start",
60            kwargs={"application_slug": instance.backchannel_application.slug},
61        )
62        if "request" not in self.context:
63            return relative_url
64        return self.context["request"].build_absolute_uri(relative_url)
65
66    def validate_auth_mode(self, auth_mode: SCIMAuthenticationMode) -> SCIMAuthenticationMode:
67        if auth_mode in [
68            SCIMAuthenticationMode.OAUTH_SILENT,
69            SCIMAuthenticationMode.OAUTH_INTERACTIVE,
70        ]:
71            if not LicenseKey.cached_summary().status.is_valid:
72                raise ValidationError(_("Enterprise is required to use the OAuth mode."))
73        return auth_mode

def get_auth_oauth_token_last_updated( self, instance: authentik.providers.scim.models.SCIMProvider) -> datetime.datetime | None: View Source

22    def get_auth_oauth_token_last_updated(self, instance: SCIMProvider) -> datetime | None:
23        conn = self._get_token(instance)
24        return conn.last_updated if conn else None

def get_auth_oauth_token_expires( self, instance: authentik.providers.scim.models.SCIMProvider) -> datetime.datetime | None: View Source

26    def get_auth_oauth_token_expires(self, instance: SCIMProvider) -> datetime | None:
27        conn = self._get_token(instance)
28        return conn.expires if conn else None

def get_auth_oauth_url_callback( self, instance: authentik.providers.scim.models.SCIMProvider) -> str | None: View Source

30    def get_auth_oauth_url_callback(self, instance: SCIMProvider) -> str | None:
31        if (
32            instance.auth_mode
33            in [
34                SCIMAuthenticationMode.TOKEN,
35                SCIMAuthenticationMode.OAUTH_SILENT,
36            ]
37            or not instance.backchannel_application
38        ):
39            return None
40        relative_url = reverse(
41            "authentik_enterprise_providers_scim:callback",
42            kwargs={"application_slug": instance.backchannel_application.slug},
43        )
44        if "request" not in self.context:
45            return relative_url
46        return self.context["request"].build_absolute_uri(relative_url)

def get_auth_oauth_url_start( self, instance: authentik.providers.scim.models.SCIMProvider) -> str | None: View Source

48    def get_auth_oauth_url_start(self, instance: SCIMProvider) -> str | None:
49        if (
50            instance.auth_mode
51            in [
52                SCIMAuthenticationMode.TOKEN,
53                SCIMAuthenticationMode.OAUTH_SILENT,
54            ]
55            or not instance.backchannel_application
56        ):
57            return None
58        relative_url = reverse(
59            "authentik_enterprise_providers_scim:start",
60            kwargs={"application_slug": instance.backchannel_application.slug},
61        )
62        if "request" not in self.context:
63            return relative_url
64        return self.context["request"].build_absolute_uri(relative_url)

def validate_auth_mode( self, auth_mode: authentik.providers.scim.models.SCIMAuthenticationMode) -> authentik.providers.scim.models.SCIMAuthenticationMode: View Source

66    def validate_auth_mode(self, auth_mode: SCIMAuthenticationMode) -> SCIMAuthenticationMode:
67        if auth_mode in [
68            SCIMAuthenticationMode.OAUTH_SILENT,
69            SCIMAuthenticationMode.OAUTH_INTERACTIVE,
70        ]:
71            if not LicenseKey.cached_summary().status.is_valid:
72                raise ValidationError(_("Enterprise is required to use the OAuth mode."))
73        return auth_mode