Add Default JWT Algorithms from .well-known endpoint

zkayyali812 · zkayyali812 · commit ba959b1c309c · 2025-08-21T19:01:51.000-04:00
diff --git a/ansible_base/authentication/authenticator_plugins/oidc.py b/ansible_base/authentication/authenticator_plugins/oidc.py
@@ -123,7 +123,11 @@ class OpenIdConnectConfiguration(BaseAuthenticatorConfiguration):
     )
 
     JWT_ALGORITHMS = ListField(
-        help_text=_("The algorithm(s) for decoding JWT responses from the IDP."),
+        help_text=_(
+            "The algorithm(s) for decoding JWT responses from the IDP. "
+            "Leave blank to extract from the .well-known configuration (if that fails we will attempt the default algorithms). "
+            "Set to ['none'] to not use encrypted tokens (the provider must send unencrypted tokens for this to work)"
+        ),
         default=None,
         allow_null=True,
         validators=[JWTAlgorithmListFieldValidator()],
@@ -300,3 +304,50 @@ def get_alternative_uid(self, **kwargs):
             return preferred_username
 
         return None
+
+    def _get_jwt_algorithms(self, existing_setting=None) -> list[str]:
+        """
+        Get the JWT algorithms to pass to the decode
+        """
+        algorithms = []
+        if existing_setting:
+            # If the admin specified the algorithms then use them
+            algorithms = existing_setting
+        else:
+            # Try to get the algorithms from the .well-known/openid-configuration
+            try:
+                logger.debug("Attempting to get the JWT algorithms from the .well-known/openid-configuration")
+                config = self.oidc_config()
+
+                # First try to get signing algorithms (most common)
+                idp_algorithms = config.get("id_token_signing_alg_values_supported")
+                if idp_algorithms:
+                    logger.debug(f"JWT signing algorithms supported by the IDP: {idp_algorithms}")
+                    algorithms = idp_algorithms
+                else:
+                    # Fallback to encryption algorithms if signing algorithms not found
+                    idp_algorithms = config.get("id_token_encryption_alg_values_supported")
+                    if idp_algorithms:
+                        logger.debug(f"JWT encryption algorithms supported by the IDP: {idp_algorithms}")
+                        algorithms = idp_algorithms
+                    else:
+                        # Try userinfo signing algorithms as another fallback
+                        idp_algorithms = config.get("userinfo_signing_alg_values_supported")
+                        if idp_algorithms:
+                            logger.debug(f"JWT userinfo signing algorithms supported by the IDP: {idp_algorithms}")
+                            algorithms = idp_algorithms
+                        else:
+                            raise Exception("No algorithms found in OIDC config")
+            except Exception as e:
+                # Fallback to default algorithms if we can't get them from the .well-known endpoint
+                lib_defaults = OpenIdConnectAuth.JWT_ALGORITHMS
+                logger.error(f"Unable to get JWT algorithms from the .well-known/openid-configuration, defaulting to {lib_defaults}: {e}")
+                algorithms = lib_defaults
+
+        # Ensure we always return a list
+        if not isinstance(algorithms, list):
+            algorithms = [algorithms] if algorithms else []
+
+        # There is a property on self that we can also set that is used in some places
+        self.JWT_ALGORITHMS = algorithms
+        return algorithms
diff --git a/ansible_base/authentication/models/authenticator.py b/ansible_base/authentication/models/authenticator.py
@@ -52,6 +52,31 @@ class Authenticator(UniqueNamedCommonModel):
         on_delete=SET_NULL,
     )
 
+    def save_default_jwt_algorithms(self):
+        try:
+            # Create a proper plugin instance with the database instance
+            from ansible_base.authentication.authenticator_plugins.utils import get_authenticator_class
+
+            authenticator_class = get_authenticator_class(self.type)
+            plugin_instance = authenticator_class(database_instance=self)
+
+            # Try to get algorithms from .well-known endpoint
+            import logging
+
+            logger = logging.getLogger('ansible_base.authentication.models.authenticator')
+            logger.info("Auto-populating JWT algorithms for OIDC authenticator from .well-known endpoint")
+
+            algorithms = plugin_instance._get_jwt_algorithms()
+            if algorithms:
+                self.configuration['JWT_ALGORITHMS'] = algorithms
+                logger.info(f"Successfully populated JWT algorithms: {algorithms}")
+        except Exception as e:
+            import logging
+
+            logger = logging.getLogger('ansible_base.authentication.models.authenticator')
+            logger.warning(f"Could not auto-populate JWT algorithms for OIDC authenticator: {e}")
+            # Don't fail the save operation, just log the warning
+
     def save(self, *args, **kwargs):
         from ansible_base.lib.utils.encryption import ansible_encryption
 
@@ -65,6 +90,10 @@ def save(self, *args, **kwargs):
             if field in self.configuration:
                 self.configuration[field] = ansible_encryption.encrypt_string(self.configuration[field])
 
+        # Auto-populate JWT algorithms for OIDC authenticators if not set
+        if self.type == "ansible_base.authentication.authenticator_plugins.oidc" and self.configuration and not self.configuration.get('JWT_ALGORITHMS'):
+            self.save_default_jwt_algorithms()
+
         if not self.slug:
             self.slug = generate_authenticator_slug()
         super().save(*args, **kwargs)
diff --git a/test_app/tests/authentication/authenticator_plugins/test_oidc.py b/test_app/tests/authentication/authenticator_plugins/test_oidc.py
@@ -147,7 +147,13 @@ def encrypted(self, isEncrypted):
         def json(self):
             return json.dumps({"key": "value"})
 
-    mocksetting.return_value = "VALUE"
+    # Mock the setting to return appropriate values
+    def mock_setting(key, default=None):
+        if key == "JWT_ALGORITHMS":
+            return ["RS256"]  # Return a valid algorithm list
+        return "VALUE"
+
+    mocksetting.side_effect = mock_setting
 
     ap = AuthenticatorPlugin()
 
@@ -167,7 +173,8 @@ def json(self):
     mockeddecode.return_value = mr.json()
     data = ap.user_data("token")
 
-    mockeddecode.assert_called_once_with('token', key='-----BEGIN PUBLIC KEY-----\nVALUE\n-----END PUBLIC KEY-----', algorithms='VALUE', audience='VALUE')
+    # The algorithms should be the mocked value
+    mockeddecode.assert_called_once_with('token', key='-----BEGIN PUBLIC KEY-----\nVALUE\n-----END PUBLIC KEY-----', algorithms=['RS256'], audience='VALUE')
     assert "key" in data
 
     # Decode failure
diff --git a/test_app/tests/authentication/models/test_authenticator.py b/test_app/tests/authentication/models/test_authenticator.py
@@ -47,3 +47,100 @@ def test_dupe_slug(ldap_authenticator):
 
     dupe.save()
     assert dupe.slug != ldap_slug, "authenticator slugs should be unique"
+
+
+@pytest.mark.django_db
+@mock.patch("ansible_base.authentication.authenticator_plugins.oidc.OpenIdConnectAuth.JWT_ALGORITHMS", ["RS256", "HS256"])
+@mock.patch("logging.getLogger")
+def test_oidc_jwt_algorithms_auto_population(mock_get_logger):
+    """Test that JWT algorithms are automatically populated when creating an OIDC authenticator"""
+    from ansible_base.authentication.models import Authenticator
+
+    # Mock the logger
+    mock_logger = mock.MagicMock()
+    mock_get_logger.return_value = mock_logger
+
+    # Create OIDC authenticator without JWT_ALGORITHMS
+    oidc_config = {
+        "OIDC_ENDPOINT": "https://example.com",
+        "VERIFY_SSL": True,
+        "KEY": "test-client-id",
+        "SECRET": "test-client-secret",
+    }
+
+    # Mock the OIDC plugin to return algorithms from .well-known
+    with mock.patch("ansible_base.authentication.authenticator_plugins.oidc.AuthenticatorPlugin._get_jwt_algorithms") as mock_get_algs:
+        mock_get_algs.return_value = ["RS256", "ES256"]
+
+        oidc_auth = Authenticator.objects.create(name="Test OIDC", type="ansible_base.authentication.authenticator_plugins.oidc", configuration=oidc_config)
+
+        # Verify that JWT_ALGORITHMS was populated
+        assert "JWT_ALGORITHMS" in oidc_auth.configuration
+        assert oidc_auth.configuration["JWT_ALGORITHMS"] == ["RS256", "ES256"]
+        mock_logger.info.assert_called_with("Successfully populated JWT algorithms: ['RS256', 'ES256']")
+
+
+@pytest.mark.django_db
+def test_oidc_jwt_algorithms_not_populated_when_already_set():
+    """Test that JWT algorithms are not modified when already configured"""
+    from ansible_base.authentication.models import Authenticator
+
+    # Create OIDC authenticator with JWT_ALGORITHMS already set
+    oidc_config = {
+        "OIDC_ENDPOINT": "https://example.com",
+        "VERIFY_SSL": True,
+        "KEY": "test-client-id",
+        "SECRET": "test-client-secret",
+        "JWT_ALGORITHMS": ["RS256"],  # Already configured
+    }
+
+    oidc_auth = Authenticator.objects.create(
+        name="Test OIDC Configured", type="ansible_base.authentication.authenticator_plugins.oidc", configuration=oidc_config
+    )
+
+    # Verify that JWT_ALGORITHMS was not modified
+    assert oidc_auth.configuration["JWT_ALGORITHMS"] == ["RS256"]
+
+
+@pytest.mark.django_db
+def test_non_oidc_authenticator_not_affected():
+    """Test that non-OIDC authenticators are not affected by JWT algorithm logic"""
+    from ansible_base.authentication.models import Authenticator
+
+    # Create LDAP authenticator (non-OIDC)
+    ldap_config = {
+        "SERVER_URI": "ldap://example.com",
+        "BIND_DN": "cn=admin,dc=example,dc=com",
+        "BIND_PASSWORD": "password",
+        "USER_SEARCH": ["ou=users,dc=example,dc=com", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)"],
+    }
+
+    ldap_auth = Authenticator.objects.create(name="Test LDAP", type="ansible_base.authentication.authenticator_plugins.ldap", configuration=ldap_config)
+
+    # Verify that LDAP authenticator doesn't have JWT_ALGORITHMS
+    assert "JWT_ALGORITHMS" not in ldap_auth.configuration
+
+
+@pytest.mark.django_db
+@mock.patch("ansible_base.authentication.authenticator_plugins.oidc.OpenIdConnectAuth.JWT_ALGORITHMS", ["RS256", "HS256"])
+@mock.patch("logging.getLogger")
+def test_oidc_jwt_algorithms_auto_population_on_update(mock_get_logger):
+    """Test that JWT algorithms are auto-populated when updating an OIDC authenticator"""
+    from ansible_base.authentication.models import Authenticator
+
+    # Mock the logger
+    mock_logger = mock.MagicMock()
+    mock_get_logger.return_value = mock_logger
+
+    # Create OIDC authenticator without JWT_ALGORITHMS
+    oidc_config = {
+        "OIDC_ENDPOINT": "https://example.com",
+        "VERIFY_SSL": True,
+        "KEY": "test-client-id",
+        "SECRET": "test-client-secret",
+    }
+
+    oidc_auth = Authenticator.objects.create(name="Test OIDC Update", type="ansible_base.authentication.authenticator_plugins.oidc", configuration=oidc_config)
+
+    assert "JWT_ALGORITHMS" in oidc_auth.configuration
+    assert oidc_auth.configuration["JWT_ALGORITHMS"] == ["RS256", "HS256"]
