authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Can application icons be set using blueprints?

Open achernya opened this issue 3 years ago • 4 comments

Describe your question/ I'm looking at the different models available in blueprints (https://github.com/goauthentik/authentik/blob/a0c546023f64534ad8f5582d0178f04d31029ec9/blueprints/schema.json#L116) and see it's possible to configure applications. I believe this corresponds to https://goauthentik.io/api/#post-/core/applications/, which does not have any way to set the icon. A later API call (https://goauthentik.io/api/#post-/core/applications/-slug-/set_icon/) exists, but I don't see a model that maps onto this.

Version and Deployment (please complete the following information):

  • authentik version: 2022.8.2
  • Deployment: docker-compose

achernya avatar Aug 28 '22 00:08 achernya

Not currently, possible ways to implement this (applies to both application icon and flow background):

  • add icon_url as a normal attribute of the applications and only use the set_icon method for uploading files
  • Use a meta model (https://goauthentik.io/developer-docs/blueprints/v1/meta) to call set_icon from the blueprint (the meta model would allow for more generic API requests I reckon)

BeryJu avatar Aug 30 '22 13:08 BeryJu

Oh, meta model sounds very interesting. I similarly found myself wanting to do https://goauthentik.io/api/#post-/core/tokens/-identifier-/set_key/ to set up a provisioning token for an Authentik instance I already have running, and therefore AUTHENTIK_BOOTSTRAP_TOKEN from https://goauthentik.io/docs/installation/automated-install would be ignored on.

achernya avatar Aug 30 '22 13:08 achernya

I kinda don't want to allow arbitrary HTTP requests since that sounds like an easy way to allow SSRF, but on the other hand if a user has enough authorization to import blueprints they can also create policies that execute code

Ideally it would this meta model would allow for an entry like this:

- model: authentik_blueprints.metaapicall
  attrs:
    operation_id: core_tokens_set_key_create
    method: POST
    body:
      foo: bar

BeryJu avatar Aug 30 '22 16:08 BeryJu

I agree with the SSRF concern in general, but I think as long as the blueprints are processed internally through a flow where it's clear the server is acting on its own authority, that probably wouldn't produce an external risk.

achernya avatar Aug 30 '22 17:08 achernya