search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.73k stars 920 forks source link

Via API add sources/user_connections for a user #8761

Open qdrddr opened 9 months ago

qdrddr commented 9 months ago

Dear Authentik community,

Describe your question/ Please help me with API v2024.2.1/v2024.2.2: I want to create sources/user_connections for a user. In Admin Interface > Directory > Federation and Social Logins, I have added an OAuth Source called "Password" (Auth0.com).

When I log in via UI and go to the User Settings > Connected Services, I can press the Connect button, successfully connect the service, and then log in via that Social login to Authentik.

I'm trying to do the same via API.

When I do curl with GET https://yyy.com/api/v3/sources/user_connections/all/ or with GET /api/v3/sources/user_connections/all/20/ I get the connected Service listed for the user. 

curl -X GET "https://yyy.com/api/v3/sources/user_connections/oauth/20/" \
 -H "accept: application/json"\
 -H "authorization: Bearer token1"

RESPONSE IS:

{
  "pk": 20,
  "user": 4,
  "source": {
    "pk": "5ecb550b-5a50-5fd5-b55b-555cb5555555",
    "name": "Password",
    "slug": "password",
    "enabled": true,
    "authentication_flow": "44f444a4-444a-4c44-4444-c4ba44c44fd4",
    "enrollment_flow": "6d6cb66b-a6bc-6a66-b66f-f6666c66aabc",
    "component": "",
    "verbose_name": "source",
    "verbose_name_plural": "sources",
    "meta_model_name": "authentik_core.source",
    "policy_engine_mode": "any",
    "user_matching_mode": "identifier",
    "managed": null,
    "user_path_template": "goauthentik.io/sources/%(slug)s",
    "icon": "https://www.auth0.com/file/auth0-logo-icon.png"
  },
  "identifier": "auth0|xxxxxxxxxxxxxxx"
}

Now, I disconnect the service in the UI User Settings > Connected Services.

And want to repeat the same steps with API instead:

curl -X POST "https://yyy.com/api/v3/sources/user_connections/" \
     -H "accept: application/json" \
     -H "authorization: Bearer token1" \
     -H "content-type: application/json" \
     -d '{
  "user": 4,
  "identifier": "auth0|xxxxxxxxxxxxxxx"
}' -v

First problem:

The curl returns "HTTP/2 405".

Second problem:

The connection from above that I'm trying to create is also supposed to be linked with the service "source": { "pk": "5ecb550b-5a50-5fd5-b55b-555cb5555555"} in this case, but I do not see any documentation that points out how to link the two.

How, programmatically, via API, can I add to a user a Connected Service?

Thank you!

Relevant info v2024.2.1 & v2024.2.2

Screenshots If applicable, add screenshots to help explain your problem.

Logs Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

rissson commented 9 months ago

Have you checked out the API browser? You'll find the relevant endpoints here: https://docs.goauthentik.io/developer-docs/api/browser#tag/sources/operation/sources_user_connections_oauth_update

You can also test them out on your instance directly if you go to authentik.domain/api/v3/

qdrddr commented 9 months ago

@rissson yes, I did check the API Browser, sources/user_connections/oauth. I made a typo in my comment when I removed sensitive information. I actually was using that endpoint you mentioned /sources/user_connections/oauth/ and it doesn't work, returns 405. Tested again just in case:

curl -X POST "https://yyy.com/api/v3/sources/user_connections/oauth" \
     -H "accept: application/json" \
     -H "authorization: Bearer token1" \
     -H "content-type: application/json" \
     -d '{
  "user": 4,
  "identifier": "auth0|xxxxxxxxxxxxxxx"
}' -v

First problem:

Second problem:

{
  "user": 0,
  "identifier": "A",
  "access_token": "string"
}

Is it a bug or I am missing something? How, can I add a Connected Service to a user?

qdrddr commented 9 months ago

Is that normal that the schema dosn't have source attribute in the payload, isn't it a bug? Though I tested just in case if that's a typo or not complete documentation as a random guess:

curl -X POST "https://yyy.com/api/v3/sources/user_connections/oauth" \
     -H "accept: application/json" \
     -H "authorization: Bearer token1" \
     -H "content-type: application/json" \
     -d '{
  "user": 4,
  "source": "5ecb550b-5a50-5fd5-b55b-555cb5555555",
  "identifier": "auth0|xxxxxxxxxxxxxxx"
}' -v
curl -X POST "https://yyy.com/api/v3/sources/user_connections/oauth" \
     -H "accept: application/json" \
     -H "authorization: Bearer token1" \
     -H "content-type: application/json" \
     -d '{
  "user": 4,
  "source": {
    "pk": "5ecb550b-5a50-5fd5-b55b-555cb5555555"
  },
  "identifier": "auth0|xxxxxxxxxxxxxxx"
}' -v

And this also

curl -X POST "https://yyy.com/api/v3/sources/user_connections/oauth/5ecb550b-5a50-5fd5-b55b-555cb5555555" \
     -H "accept: application/json" \
     -H "authorization: Bearer token1" \
     -H "content-type: application/json" \
     -d '{
  "user": 4,
  "identifier": "auth0|xxxxxxxxxxxxxxx"
}' -v
rissson commented 9 months ago

No you're right, we actually forbid this in the API (https://github.com/goauthentik/authentik/blob/main/authentik/core/api/sources.py#L197). As for the reason why, let's ask @BeryJu

qdrddr commented 8 months ago

Okay, so there are two problems looking at this function:

1) The schema, in fact, is:

2) The class is read-only, and it should be writable.

What I'm trying to achieve: Add a user to Authentik, create a user in auth0.com, and link the Source with the User_Connection for the user via API so the user can log in to Authentik using SSO without linking the accounts manually.

qdrddr commented 8 months ago

@BeryJu & @rissson can we safly declare this is a bug and should be fixed? Tested this with v2024.2.2 - the issue persists.

qdrddr commented 6 months ago

Any updates on this?

qdrddr commented 6 months ago

Can someone please comment on this?