enterprise/providers: SSF (#12327)

* init

Signed-off-by: Jens Langhammer <[email protected]>

* fix some other stuff

Signed-off-by: Jens Langhammer <[email protected]>

* more progress

Signed-off-by: Jens Langhammer <[email protected]>

* fix missing format

Signed-off-by: Jens Langhammer <[email protected]>

* make it work, send verification event

Signed-off-by: Jens Langhammer <[email protected]>

* progress

Signed-off-by: Jens Langhammer <[email protected]>

* more progress

Signed-off-by: Jens Langhammer <[email protected]>

* fix

Signed-off-by: Jens Langhammer <[email protected]>

* save iss

Signed-off-by: Jens Langhammer <[email protected]>

* add signals for MFA devices

Signed-off-by: Jens Langhammer <[email protected]>

* fix tests

Signed-off-by: Jens Langhammer <[email protected]>

* refactor more

Signed-off-by: Jens Langhammer <[email protected]>

* re-work auth

Signed-off-by: Jens Langhammer <[email protected]>

* add API to list ssf streams

Signed-off-by: Jens Langhammer <[email protected]>

* start rbac

Signed-off-by: Jens Langhammer <[email protected]>

* add ssf icon

Signed-off-by: Jens Langhammer <[email protected]>

* fix web

Signed-off-by: Jens Langhammer <[email protected]>

* fix bugs

Signed-off-by: Jens Langhammer <[email protected]>

* make events expire, rewrite sending logic

Signed-off-by: Jens Langhammer <[email protected]>

* add oidc token test

Signed-off-by: Jens Langhammer <[email protected]>

* add stream list

Signed-off-by: Jens Langhammer <[email protected]>

* add jwks tests and fixes

Signed-off-by: Jens Langhammer <[email protected]>

* update web ui

Signed-off-by: Jens Langhammer <[email protected]>

* fix

Signed-off-by: Jens Langhammer <[email protected]>

* fix configuration endpoint

Signed-off-by: Jens Langhammer <[email protected]>

* replace port number correctly

Signed-off-by: Jens Langhammer <[email protected]>

* better log what went wrong

Signed-off-by: Jens Langhammer <[email protected]>

* linter has opinions

Signed-off-by: Jens Langhammer <[email protected]>

* fix messages

Signed-off-by: Jens Langhammer <[email protected]>

* fix set status

Signed-off-by: Jens Langhammer <[email protected]>

* more debug logging

Signed-off-by: Jens Langhammer <[email protected]>

* fix issuer here too

Signed-off-by: Jens Langhammer <[email protected]>

* remove port :443...removal

apparently apple's HTTP logic is wrong and includes the port in the Host header even if the default port is used (80 or 443), which then fails as the URL doesn't exactly match what the admin configured...so instead of trying to add magic about this we'll add it in the docs

Signed-off-by: Jens Langhammer <[email protected]>

* fix error when no request in context

Signed-off-by: Jens Langhammer <[email protected]>

* add signal for admin session revoke

Signed-off-by: Jens Langhammer <[email protected]>

* set txn based on request id

Signed-off-by: Jens Langhammer <[email protected]>

* validate method and endpoint url

Signed-off-by: Jens Langhammer <[email protected]>

* fix request ID detection

Signed-off-by: Jens Langhammer <[email protected]>

* add timestamp

Signed-off-by: Jens Langhammer <[email protected]>

* temp migration

Signed-off-by: Jens Langhammer <[email protected]>

* fix signal

Signed-off-by: Jens Langhammer <[email protected]>

* add signal tests

Signed-off-by: Jens Langhammer <[email protected]>

* the final commit

Signed-off-by: Jens Langhammer <[email protected]>

* ok actually the last commit

Signed-off-by: Jens Langhammer <[email protected]>

---------

Signed-off-by: Jens Langhammer <[email protected]>

Author: BeryJu

Makefile

@@ -6,6 +6,8 @@ UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
 PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
@@ -19,11 +21,12 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		authentik \
-		internal \
-		cmd \
-		web/src \
+		-S 'website/developer-docs/api/reference/**' \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
 		website/src \
 		website/blog \
 		website/docs \

authentik/blueprints/v1/importer.py

@@ -51,6 +51,7 @@
     MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     EndpointDevice,
     EndpointDeviceConnection,
@@ -131,6 +132,7 @@ def excluded_models() -> list[type[Model]]:
         EndpointDevice,
         EndpointDeviceConnection,
         DeviceToken,
+        StreamEvent,
     )
 
 

authentik/core/models.py

@@ -599,6 +599,14 @@ def get_provider(self) -> Provider | None:
             return None
         return candidates[-1]
 
+    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
+        """Get Backchannel provider for a specific type"""
+        providers = self.backchannel_providers.filter(
+            **{f"{provider_type._meta.model_name}__isnull": False},
+            **kwargs,
+        )
+        return getattr(providers.first(), provider_type._meta.model_name)
+
     def __str__(self):
         return str(self.name)
 

authentik/enterprise/providers/ssf/__init__.py

@@ -0,0 +1,64 @@
+"""SSF Provider API Views"""
+
+from django.urls import reverse
+from rest_framework.fields import SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.ssf.models import SSFProvider
+
+
+class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """SSFProvider Serializer"""
+
+    ssf_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_ssf_url(self, instance: SSFProvider) -> str | None:
+        request: Request = self._context.get("request")
+        if not request:
+            return None
+        if not instance.backchannel_application:
+            return None
+        return request.build_absolute_uri(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={
+                    "application_slug": instance.backchannel_application.slug,
+                },
+            )
+        )
+
+    class Meta:
+        model = SSFProvider
+        fields = [
+            "pk",
+            "name",
+            "component",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+            "signing_key",
+            "token_obj",
+            "oidc_auth_providers",
+            "ssf_url",
+            "event_retention",
+        ]
+        extra_kwargs = {}
+
+
+class SSFProviderViewSet(UsedByMixin, ModelViewSet):
+    """SSFProvider Viewset"""
+
+    queryset = SSFProvider.objects.all()
+    serializer_class = SSFProviderSerializer
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+    }
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/providers/ssf/api/__init__.py

@@ -0,0 +1,37 @@
+"""SSF Stream API Views"""
+
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.core.api.utils import ModelSerializer
+from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
+from authentik.enterprise.providers.ssf.models import Stream
+
+
+class SSFStreamSerializer(ModelSerializer):
+    """SSFStream Serializer"""
+
+    provider_obj = SSFProviderSerializer(source="provider", read_only=True)
+
+    class Meta:
+        model = Stream
+        fields = [
+            "pk",
+            "provider",
+            "provider_obj",
+            "delivery_method",
+            "endpoint_url",
+            "events_requested",
+            "format",
+            "aud",
+            "iss",
+        ]
+
+
+class SSFStreamViewSet(ReadOnlyModelViewSet):
+    """SSFStream Viewset"""
+
+    queryset = Stream.objects.all()
+    serializer_class = SSFStreamSerializer
+    filterset_fields = ["provider", "endpoint_url", "delivery_method"]
+    search_fields = ["provider__name", "endpoint_url"]
+    ordering = ["provider", "uuid"]

authentik/enterprise/providers/ssf/api/providers.py

@@ -0,0 +1,13 @@
+"""SSF app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderSSF(EnterpriseConfig):
+    """authentik enterprise ssf app config"""
+
+    name = "authentik.enterprise.providers.ssf"
+    label = "authentik_providers_ssf"
+    verbose_name = "authentik Enterprise.Providers.SSF"
+    default = True
+    mountpoint = ""

authentik/enterprise/providers/ssf/api/streams.py

@@ -0,0 +1,201 @@
+# Generated by Django 5.0.11 on 2025-02-05 16:20
+
+import authentik.lib.utils.time
+import django.contrib.postgres.fields
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SSFProvider",
+            fields=[
+                (
+                    "provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.provider",
+                    ),
+                ),
+                (
+                    "event_retention",
+                    models.TextField(
+                        default="days=30",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+                (
+                    "oidc_auth_providers",
+                    models.ManyToManyField(
+                        blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
+                    ),
+                ),
+                (
+                    "signing_key",
+                    models.ForeignKey(
+                        help_text="Key used to sign the SSF Events.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_crypto.certificatekeypair",
+                        verbose_name="Signing Key",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Shared Signals Framework Provider",
+                "verbose_name_plural": "Shared Signals Framework Providers",
+                "permissions": [("add_stream", "Add stream to SSF provider")],
+            },
+            bases=("authentik_core.provider",),
+        ),
+        migrations.CreateModel(
+            name="Stream",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "delivery_method",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                                "Risc Push",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/poll",
+                                "Risc Poll",
+                            ),
+                        ]
+                    ),
+                ),
+                ("endpoint_url", models.TextField(null=True)),
+                (
+                    "events_requested",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(
+                            choices=[
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                    "Caep Session Revoked",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                    "Caep Credential Change",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                    "Set Verification",
+                                ),
+                            ]
+                        ),
+                        default=list,
+                        size=None,
+                    ),
+                ),
+                ("format", models.TextField()),
+                (
+                    "aud",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(), default=list, size=None
+                    ),
+                ),
+                ("iss", models.TextField()),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.ssfprovider",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream",
+                "verbose_name_plural": "SSF Streams",
+                "default_permissions": ["change", "delete", "view"],
+            },
+        ),
+        migrations.CreateModel(
+            name="StreamEvent",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "status",
+                    models.TextField(
+                        choices=[
+                            ("pending_new", "Pending New"),
+                            ("pending_failed", "Pending Failed"),
+                            ("sent", "Sent"),
+                        ]
+                    ),
+                ),
+                (
+                    "type",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                "Caep Session Revoked",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                "Caep Credential Change",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                "Set Verification",
+                            ),
+                        ]
+                    ),
+                ),
+                ("payload", models.JSONField(default=dict)),
+                (
+                    "stream",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.stream",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream Event",
+                "verbose_name_plural": "SSF Stream Events",
+                "ordering": ("-created",),
+            },
+        ),
+    ]