Open cadeParade opened 1 month ago
The intended use for the generated API client would be using this
from authentik_client.models.application import Application
from authentik_client.models.o_auth2_provider import OAuth2Provider
Application()
instead of just passing a dictionary to the API calls
Thanks for your reply. I have been continuing to run into this problem after using authentik_client
provided models. I think I have narrowed down the problem.
When I create an OAuth Provider via the API, it throws validation errors for assigned_application_slug
, assigned_application_name
, assigned_backchannel_application_slug
, assigned_backchannel_application_name
.
I am using this package, as linked from the authentik documentation. FYI, the links to the documentation on the pypi page go to 404s (ex: https://pypi.org/project/authentik-client/docs/ProvidersApi.md#providers_oauth2_create). I cannot find a python version of authentik_client
open source on github, although maybe it is all generated by this schema.yml?)
To create a new provider, we call: provider_api_instance.providers_oauth2_create([Instance of OAuth2ProviderRequest])
.
providers_oauth2_create
expects an argument of type OAuth2ProviderRequest
(maybe defined here).
An OAuth2ProviderRequest
has these properties, which does not include assigned_application_slug
, assigned_application_name
, assigned_backchannel_application_slug
, assigned_backchannel_application_name
.
So to me, it seems impossible to send the properties an OAuth2Provider
model is expecting since even if you put the assigned_application_slug
etc in the data object to construct OAuth2ProviderRequest
, properties that aren't in the OAuth2ProviderRequest
schema are ignored.
Please let me know if I am misunderstanding something and how I can successfully create an OAuth provider with authentik-client
Here is the actual code I am using if it helpful:
The assigned_*
properties are read_only and are mainly used by the frontend when the provider is connected with an application. In the backend this is defined correctly (and in theory so is it in the schema), however some client generators don't interpret this correctly
The python client is indeed generated from that schema (https://github.com/goauthentik/authentik/blob/main/.github/workflows/api-py-publish.yml) hence there currently isn't a source for it available.
Which line exactly is throwing the exception you posted above?
Thanks for your reply.
The lines are hard to share since I can't link to the generated python code, but here's some more details.
So what is happening as far as I understand is:
As you can see, there are no assigned_backchannel_application_name
, assigned_backchannel_application_slug
, assigned_application_name
, or assigned_application_slug
in this response. We get this response back, and then providers_oauth2_create
calls api_client.response_deserialize
which then calls api_client.__deserialize
, which eventually calls api_client.__deserialize_model
.
return self.api_client.response_deserialize(
response_data=response_data,
response_types_map=_response_types_map,
).data
So it seems like
assigned_application_slug
, assigned_application_name
, assigned_backchannel_application_name
, and assigned_backchannel_application_slug
from a create call and therefore failing the de-serialization step.The generated API docs show assigned_application_name
, assigned_application_slug
, etc as "required" in the response, so I think the problem may actually be with the schema.yml
file (or whatever generates it) rather than the openapi generator.
(edit: these were for the provider creation endpoint rather than the application creation endpoint)
For reference, adding nullable
to these fields in schema.yml
and regenerating the python client bindings was enough to get past this (not sure whether that is correct, I didn't look at the returned json to determine whether these were actually null values or just not present):
diff --git a/schema.yml b/schema.yml
index baa970150..8b301609b 100644
--- a/schema.yml
+++ b/schema.yml
@@ -45767,18 +45767,22 @@ components:
assigned_application_slug:
type: string
description: Internal application name, used in URLs.
+ nullable: true
readOnly: true
assigned_application_name:
type: string
description: Application's display Name.
+ nullable: true
readOnly: true
assigned_backchannel_application_slug:
type: string
description: Internal application name, used in URLs.
+ nullable: true
readOnly: true
assigned_backchannel_application_name:
type: string
description: Application's display Name.
+ nullable: true
readOnly: true
verbose_name:
type: string
I am also seeing similar issues trying to create a provider via the API.
It looks like DRF doesn't honor required=False
for ReadOnlyField
s. Even though these fields have required=False
in their ModelSerializer class, they are still showing up under the required:
field list for the response object in schema.yml
. There was a similar problem with allow_null
which appears to have been resolved by https://github.com/encode/django-rest-framework/pull/8536 . It doesn't seem like adding "required": False
for the field in extra_kwargs in the serializer Meta makes any difference on these. I think changes may be needed in DRF for required
so that drf_spectacular gets the metadata it needs.
A possible workaround would be to set allow_null=True
for these fields. That solves the python openapi binding issue, at least (not sure whether other libraries/bindings validate the responses the same way... it still seems like having the field not be required in the spec would be ideal).
See also: https://github.com/tfranzel/drf-spectacular/issues/383
Describe the bug I am trying to set up a clean authentik install with a script in my FastAPI app, including an application and an oauth2/OIDC provider. I am using authentik-client. So I need to create both an application and a provider object, but creating either one causes validation errors. It seems like the create call does work, ultimately, but the terminal output shows errors and I'm not sure it should. Additionally, the properties it complains about are not listed as required (or even mentioned at all?) on the core API doc pages (application and provider)
To Reproduce
I run this:
I get
pydantic_core._pydantic_core.ValidationError: 1 validation error for Application provider_obj Input should be a valid dictionary or instance of Provider [type=model_type, input_value=None, input_type=NoneType] For further information visit https://errors.pydantic.dev/2.7/v/model_type
Stack trace
``` Traceback (most recent call last): File "/Users/lc/projects/foo/api/bin/first_time_setup", line 38, inOk fine so maybe I need a provider first. So I run (after deleting the application):
And again I get validation errors:
First of all -- all the validation error properties have a string provided, so I'm pretty confused about this error. Second, none of these properties are mentioned in the request_body section of the
providers_oauth2_create
documentation.It seems like there are two issues:
Expected behavior Ability to create an application or a provider.
Version and Deployment (please complete the following information):
Thanks for any advice or help!