chore(deps): bump ansible from 7.1.0 to 12.2.0

Bumps [ansible](https://github.com/ansible-community/ansible-build-data) from 7.1.0 to 12.2.0.
- [Changelog](https://github.com/ansible-community/ansible-build-data/blob/main/docs/release-process.md)
- [Commits](https://github.com/ansible-community/ansible-build-data/compare/7.1.0...12.2.0)

---
updated-dependencies:
- dependency-name: ansible
  dependency-version: 12.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Dockerfile

@@ -1,4 +1,4 @@
-FROM jumpserver/core-base:20251113_092612 AS stage-build
+FROM jumpserver/core-base:20251128_025056 AS stage-build
 
 ARG VERSION
 

apps/audits/api.py

@@ -43,7 +43,7 @@ from .serializers import (
     OperateLogSerializer, OperateLogActionDetailSerializer,
     PasswordChangeLogSerializer, ActivityUnionLogSerializer,
     FileSerializer, UserSessionSerializer, JobsAuditSerializer,
-    ServiceAccessLogSerializer
+    ServiceAccessLogSerializer, OperateLogFullSerializer
 )
 from .utils import construct_userlogin_usernames, record_operate_log_and_activity_log
 
@@ -256,7 +256,9 @@ class OperateLogViewSet(OrgReadonlyModelViewSet):
     def get_serializer_class(self):
         if self.is_action_detail:
             return OperateLogActionDetailSerializer
-        return super().get_serializer_class()
+        elif self.request.query_params.get('format'):
+            return OperateLogFullSerializer
+        return OperateLogSerializer
 
     def get_queryset(self):
         current_org_id = str(current_org.id)

apps/audits/serializers.py

@@ -127,6 +127,21 @@ class OperateLogSerializer(BulkOrgResourceModelSerializer):
         return i18n_trans(instance.resource)
 
 
+class DiffFieldSerializer(serializers.JSONField):
+    def to_file_representation(self, value):
+        row = getattr(self, '_row') or {}
+        attrs = {'diff': value, 'resource_type': row.get('resource_type')}
+        instance = type('OperateLog', (), attrs)
+        return OperateLogStore.convert_diff_friendly(instance)
+
+
+class OperateLogFullSerializer(OperateLogSerializer):
+    diff = DiffFieldSerializer(label=_("Diff"))
+
+    class Meta(OperateLogSerializer.Meta):
+        fields = OperateLogSerializer.Meta.fields + ['diff']
+
+
 class PasswordChangeLogSerializer(serializers.ModelSerializer):
     class Meta:
         model = models.PasswordChangeLog

apps/authentication/api/__init__.py

@@ -16,3 +16,4 @@ from .sso import *
 from .temp_token import *
 from .token import *
 from .face import *
+from .access_token import *

apps/authentication/api/access_token.py

@@ -0,0 +1,47 @@
+from django.shortcuts import get_object_or_404
+from django.utils.translation import gettext as _
+
+from rest_framework.decorators import action
+from rest_framework.response import Response
+from rest_framework.status import HTTP_204_NO_CONTENT, HTTP_404_NOT_FOUND
+
+from oauth2_provider.models import get_access_token_model
+
+from common.api import JMSModelViewSet
+from rbac.permissions import RBACPermission
+from ..serializers import AccessTokenSerializer
+
+
+AccessToken = get_access_token_model()
+
+
+class AccessTokenViewSet(JMSModelViewSet):
+    """
+    OAuth2 Access Token 管理视图集
+    用户只能查看和撤销自己的 access token
+    """
+    serializer_class = AccessTokenSerializer
+    permission_classes = [RBACPermission]
+    http_method_names = ['get', 'options', 'delete']
+    rbac_perms = {
+        'revoke': 'oauth2_provider.delete_accesstoken',
+    }
+
+    def get_queryset(self):
+        """只返回当前用户的 access token，按创建时间倒序"""
+        return AccessToken.objects.filter(user=self.request.user).order_by('-created')
+
+    @action(methods=['DELETE'], detail=True, url_path='revoke')
+    def revoke(self, request, *args, **kwargs):
+        """
+        撤销 access token 及其关联的 refresh token
+        如果 token 不存在或不属于当前用户，返回 404
+        """
+        token = get_object_or_404(
+            AccessToken.objects.filter(user=request.user),
+            id=kwargs['pk']
+        )
+        # 优先撤销 refresh token，会自动撤销关联的 access token
+        token_to_revoke = token.refresh_token if token.refresh_token else token
+        token_to_revoke.revoke()
+        return Response(status=HTTP_204_NO_CONTENT)

apps/authentication/backends/cas/backends.py

@@ -1,51 +1,22 @@
 # -*- coding: utf-8 -*-
 #
 
-import threading
-
 from django.conf import settings
-from django.contrib.auth import get_user_model
 from django_cas_ng.backends import CASBackend as _CASBackend
 
 from common.utils import get_logger
 from ..base import JMSBaseAuthBackend
 
-__all__ = ['CASBackend', 'CASUserDoesNotExist']
+__all__ = ['CASBackend']
 logger = get_logger(__name__)
 
 
-class CASUserDoesNotExist(Exception):
-    """Exception raised when a CAS user does not exist."""
-    pass
-
-
 class CASBackend(JMSBaseAuthBackend, _CASBackend):
     @staticmethod
     def is_enabled():
         return settings.AUTH_CAS
 
     def authenticate(self, request, ticket, service):
-        UserModel = get_user_model()
-        manager = UserModel._default_manager
-        original_get_by_natural_key = manager.get_by_natural_key
-        thread_local = threading.local()
-        thread_local.thread_id = threading.get_ident()
-        logger.debug(f"CASBackend.authenticate: thread_id={thread_local.thread_id}")
-
-        def get_by_natural_key(self, username):
-            logger.debug(f"CASBackend.get_by_natural_key: thread_id={threading.get_ident()}, username={username}")
-            if threading.get_ident() != thread_local.thread_id:
-                return original_get_by_natural_key(username)
-
-            try:
-                user = original_get_by_natural_key(username)
-            except UserModel.DoesNotExist:
-                raise CASUserDoesNotExist(username)
-            return user
-
-        try:
-            manager.get_by_natural_key = get_by_natural_key.__get__(manager, type(manager))
-            user = super().authenticate(request, ticket=ticket, service=service)
-        finally:
-            manager.get_by_natural_key = original_get_by_natural_key
-        return user
+        # 这里做个hack ,让父类始终走CAS_CREATE_USER=True的逻辑，然后调用 authentication/mixins.py 中的 custom_get_or_create 方法
+        settings.CAS_CREATE_USER = True
+        return super().authenticate(request, ticket, service)

apps/authentication/backends/cas/views.py

@@ -4,29 +4,23 @@ from django.utils.translation import gettext_lazy as _
 from django_cas_ng.views import LoginView
 
 from authentication.backends.base import BaseAuthCallbackClientView
-from common.utils import FlashMessageUtil
-from .backends import CASUserDoesNotExist
+from authentication.views.mixins import FlashMessageMixin
 
 __all__ = ['LoginView']
 
 
-class CASLoginView(LoginView):
+class CASLoginView(LoginView, FlashMessageMixin):
     def get(self, request):
         try:
             resp = super().get(request)
-            return resp
         except PermissionDenied:
-            return HttpResponseRedirect('/')
-        except CASUserDoesNotExist as e:
-            message_data = {
-                'title': _('User does not exist: {}').format(e),
-                'error': _(
-                    'CAS login was successful, but no corresponding local user was found in the system, and automatic '
-                    'user creation is disabled in the CAS authentication configuration. Login failed.'),
-                'interval': 10,
-                'redirect_url': '/',
-            }
-            return FlashMessageUtil.gen_and_redirect_to(message_data)
+            resp = HttpResponseRedirect('/')
+        error_message = getattr(request, 'error_message', '')
+        if error_message:
+            response = self.get_failed_response('/', title=_('CAS Error'), msg=error_message)
+            return response
+        else:
+            return resp
 
 
 class CASCallbackClientView(BaseAuthCallbackClientView):

apps/authentication/backends/oauth2/views.py

@@ -10,7 +10,7 @@ from authentication.backends.base import BaseAuthCallbackClientView
 from authentication.mixins import authenticate
 from authentication.utils import build_absolute_uri
 from authentication.views.mixins import FlashMessageMixin
-from common.utils import get_logger
+from common.utils import get_logger, safe_next_url
 
 logger = get_logger(__file__)
 
@@ -21,12 +21,17 @@ class OAuth2AuthRequestView(View):
         log_prompt = "Process OAuth2 GET requests: {}"
         logger.debug(log_prompt.format('Start'))
 
+        authentication_request_params = request.GET.dict()
+        query = urlencode(authentication_request_params)
+        redirect_uri = build_absolute_uri(
+            request, path=reverse(settings.AUTH_OAUTH2_AUTH_LOGIN_CALLBACK_URL_NAME)
+        )
+        redirect_uri = f"{redirect_uri}?{query}"
+
         query_dict = {
             'client_id': settings.AUTH_OAUTH2_CLIENT_ID, 'response_type': 'code',
             'scope': settings.AUTH_OAUTH2_SCOPE,
-            'redirect_uri': build_absolute_uri(
-                request, path=reverse(settings.AUTH_OAUTH2_AUTH_LOGIN_CALLBACK_URL_NAME)
-            )
+            'redirect_uri': redirect_uri
         }
 
         if '?' in settings.AUTH_OAUTH2_PROVIDER_AUTHORIZATION_ENDPOINT:
@@ -59,9 +64,9 @@ class OAuth2AuthCallbackView(View, FlashMessageMixin):
                 logger.debug(log_prompt.format('Login: {}'.format(user)))
                 auth.login(self.request, user)
                 logger.debug(log_prompt.format('Redirect'))
-                return HttpResponseRedirect(
-                    settings.AUTH_OAUTH2_AUTHENTICATION_REDIRECT_URI
-                )
+                next_url = request.GET.get('next') or settings.AUTH_OAUTH2_AUTHENTICATION_REDIRECT_URI
+                next_url = safe_next_url(next_url, request=request)
+                return HttpResponseRedirect(next_url)
             else:
                 if getattr(request, 'error_message', ''):
                     response = self.get_failed_response('/', title=_('OAuth2 Error'), msg=request.error_message)

apps/authentication/backends/oauth2_provider/urls.py

@@ -0,0 +1,14 @@
+# -*- coding: utf-8 -*-
+#
+from django.urls import path
+
+from oauth2_provider import views as op_views
+from . import views
+
+
+urlpatterns = [
+    path("authorize/", op_views.AuthorizationView.as_view(), name="authorize"),
+    path("token/", op_views.TokenView.as_view(), name="token"),
+    path("revoke/", op_views.RevokeTokenView.as_view(), name="revoke-token"),
+    path(".well-known/oauth-authorization-server", views.OAuthAuthorizationServerView.as_view(), name="oauth-authorization-server"),
+]

apps/authentication/backends/oauth2_provider/utils.py

@@ -0,0 +1,17 @@
+from django.conf import settings
+from oauth2_provider.models import get_application_model
+
+def get_or_create_jumpserver_client_application():
+    """Auto get or create OAuth2 JumpServer Client application."""
+    Application = get_application_model()
+    
+    application, created = Application.objects.get_or_create(
+        name=settings.OAUTH2_PROVIDER_JUMPSERVER_CLIENT_NAME,
+        defaults={
+            'client_type': Application.CLIENT_PUBLIC,
+            'authorization_grant_type': Application.GRANT_AUTHORIZATION_CODE,
+            'redirect_uris': settings.OAUTH2_PROVIDER_CLIENT_REDIRECT_URI,
+            'skip_authorization': True,
+        }
+    )
+    return application

apps/authentication/backends/oauth2_provider/views.py

@@ -0,0 +1,77 @@
+from django.views.generic import View
+from django.http import JsonResponse
+from django.utils.decorators import method_decorator
+from django.views.decorators.cache import cache_page
+from django.views.decorators.csrf import csrf_exempt
+from django.conf import settings
+from django.urls import reverse
+from oauth2_provider.settings import oauth2_settings
+from typing import List, Dict, Any
+from .utils import get_or_create_jumpserver_client_application
+
+
+@method_decorator(csrf_exempt, name='dispatch')
+@method_decorator(cache_page(60 * 60), name='dispatch')
+class OAuthAuthorizationServerView(View):
+    """
+    OAuth 2.0 Authorization Server Metadata Endpoint
+    RFC 8414: https://datatracker.ietf.org/doc/html/rfc8414
+    
+    This endpoint provides machine-readable information about the
+    OAuth 2.0 authorization server's configuration.
+    """
+    
+    def get_base_url(self, request) -> str:
+        scheme = 'https' if request.is_secure() else 'http'
+        host = request.get_host()
+        return f"{scheme}://{host}"
+    
+    def get_supported_scopes(self) -> List[str]:
+        scopes_config = oauth2_settings.SCOPES
+        if isinstance(scopes_config, dict):
+            return list(scopes_config.keys())
+        return []
+    
+    def get_metadata(self, request) -> Dict[str, Any]:
+        base_url = self.get_base_url(request)
+        application = get_or_create_jumpserver_client_application()
+        metadata = {
+            "issuer": base_url,
+            "client_id": application.client_id if application else "Not found any application.",
+            "authorization_endpoint": base_url + reverse('authentication:oauth2-provider:authorize'),
+            "token_endpoint": base_url + reverse('authentication:oauth2-provider:token'),
+            "revocation_endpoint": base_url + reverse('authentication:oauth2-provider:revoke-token'),
+            
+            "response_types_supported": ["code"],
+            "grant_types_supported": ["authorization_code", "refresh_token"],
+            "scopes_supported": self.get_supported_scopes(),
+            
+            "token_endpoint_auth_methods_supported": ["none"],
+            "revocation_endpoint_auth_methods_supported": ["none"],
+            "code_challenge_methods_supported": ["S256"],
+            "response_modes_supported": ["query"],
+        }
+        if hasattr(oauth2_settings, 'ACCESS_TOKEN_EXPIRE_SECONDS'):
+            metadata["token_expires_in"] = oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS
+        if hasattr(oauth2_settings, 'REFRESH_TOKEN_EXPIRE_SECONDS'):
+            if oauth2_settings.REFRESH_TOKEN_EXPIRE_SECONDS:
+                metadata["refresh_token_expires_in"] = oauth2_settings.REFRESH_TOKEN_EXPIRE_SECONDS
+        return metadata
+    
+    def get(self, request, *args, **kwargs):
+        metadata = self.get_metadata(request)
+        response = JsonResponse(metadata)
+        self.add_cors_headers(response)
+        return response
+    
+    def options(self, request, *args, **kwargs):
+        response = JsonResponse({})
+        self.add_cors_headers(response)
+        return response
+    
+    @staticmethod
+    def add_cors_headers(response):
+        response['Access-Control-Allow-Origin'] = '*'
+        response['Access-Control-Allow-Methods'] = 'GET, OPTIONS'
+        response['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
+        response['Access-Control-Max-Age'] = '3600'

apps/authentication/backends/saml2/views.py

@@ -17,7 +17,7 @@ from onelogin.saml2.idp_metadata_parser import (
 )
 
 from authentication.views.mixins import FlashMessageMixin
-from common.utils import get_logger
+from common.utils import get_logger, safe_next_url
 from .settings import JmsSaml2Settings
 from ..base import BaseAuthCallbackClientView
 
@@ -208,13 +208,16 @@ class Saml2AuthRequestView(View, PrepareRequestMixin):
         log_prompt = "Process SAML GET requests: {}"
         logger.debug(log_prompt.format('Start'))
 
+        authentication_request_params = request.GET.dict()
+
         try:
             saml_instance = self.init_saml_auth(request)
         except OneLogin_Saml2_Error as error:
             logger.error(log_prompt.format('Init saml auth error: %s' % error))
             return HttpResponse(error, status=412)
 
-        next_url = settings.AUTH_SAML2_PROVIDER_AUTHORIZATION_ENDPOINT
+        next_url = authentication_request_params.get('next', settings.AUTH_SAML2_PROVIDER_AUTHORIZATION_ENDPOINT)
+        next_url = safe_next_url(next_url, request=request)
         url = saml_instance.login(return_to=next_url)
         logger.debug(log_prompt.format('Redirect login url'))
         return HttpResponseRedirect(url)

apps/authentication/management/commands/init_oauth2_provider.py

@@ -0,0 +1,75 @@
+# -*- coding: utf-8 -*-
+#
+from django.core.management.base import BaseCommand
+from django.db.utils import OperationalError, ProgrammingError
+from django.conf import settings
+
+
+class Command(BaseCommand):
+    help = 'Initialize OAuth2 Provider - Create default JumpServer Client application'
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            '--force',
+            action='store_true',
+            help='Force recreate the application even if it exists',
+        )
+
+    def handle(self, *args, **options):
+        force = options.get('force', False)
+        
+        try:
+            from authentication.backends.oauth2_provider.utils import (
+                get_or_create_jumpserver_client_application
+            )
+            from oauth2_provider.models import get_application_model
+            
+            Application = get_application_model()
+            
+            # 检查表是否存在
+            try:
+                Application.objects.exists()
+            except (OperationalError, ProgrammingError) as e:
+                self.stdout.write(
+                    self.style.ERROR(
+                        f'OAuth2 Provider tables not found. Please run migrations first:\n'
+                        f'  python manage.py migrate oauth2_provider\n'
+                        f'Error: {e}'
+                    )
+                )
+                return
+            
+            # 如果强制重建，先删除已存在的应用
+            if force:
+                deleted_count, _ = Application.objects.filter(
+                    name=settings.OAUTH2_PROVIDER_JUMPSERVER_CLIENT_NAME
+                ).delete()
+                if deleted_count > 0:
+                    self.stdout.write(
+                        self.style.WARNING(f'Deleted {deleted_count} existing application(s)')
+                    )
+            
+            # 创建或获取应用
+            application = get_or_create_jumpserver_client_application()
+            
+            if application:
+                self.stdout.write(
+                    self.style.SUCCESS(
+                        f'✓ OAuth2 JumpServer Client application initialized successfully\n'
+                        f'  - Client ID: {application.client_id}\n'
+                        f'  - Client Type: {application.get_client_type_display()}\n'
+                        f'  - Grant Type: {application.get_authorization_grant_type_display()}\n'
+                        f'  - Redirect URIs: {application.redirect_uris}\n'
+                        f'  - Skip Authorization: {application.skip_authorization}'
+                    )
+                )
+            else:
+                self.stdout.write(
+                    self.style.ERROR('Failed to create OAuth2 application')
+                )
+                
+        except Exception as e:
+            self.stdout.write(
+                self.style.ERROR(f'Error initializing OAuth2 Provider: {e}')
+            )
+            raise

apps/authentication/mixins.py

@@ -6,6 +6,7 @@ import time
 import uuid
 from functools import partial
 from typing import Callable
+from werkzeug.local import Local
 
 from django.conf import settings
 from django.contrib import auth
@@ -16,6 +17,7 @@ from django.contrib.auth import (
 from django.contrib.auth import get_user_model
 from django.core.cache import cache
 from django.core.exceptions import ImproperlyConfigured
+from django.db.models import Q
 from django.shortcuts import reverse, redirect, get_object_or_404
 from django.utils.http import urlencode
 from django.utils.translation import gettext as _
@@ -31,6 +33,87 @@ from .signals import post_auth_success, post_auth_failed
 
 logger = get_logger(__name__)
 
+# 模块级别的线程上下文，用于 authenticate 函数中标记当前线程
+_auth_thread_context = Local()
+
+# 保存 Django 原始的 get_or_create 方法（在模块加载时保存一次）
+def _save_original_get_or_create():
+    """保存 Django 原始的 get_or_create 方法"""
+    from django.contrib.auth import get_user_model as get_user_model_func
+    UserModel = get_user_model_func()
+    return UserModel.objects.get_or_create
+
+_django_original_get_or_create = _save_original_get_or_create()
+
+
+class OnlyAllowExistUserAuthError(Exception):
+    pass
+
+
+def _authenticate_context(func):
+    """
+    装饰器：管理 authenticate 函数的执行上下文
+    
+    功能：
+    1. 执行前：
+       - 在线程本地存储中标记当前正在执行 authenticate
+       - 临时替换 UserModel.objects.get_or_create 方法
+    2. 执行后：
+       - 清理线程本地存储标记
+       - 恢复 get_or_create 为 Django 原始方法
+    
+    作用：
+    - 确保 get_or_create 行为仅在 authenticate 生命周期内生效
+    - 支持 ONLY_ALLOW_EXIST_USER_AUTH 配置的线程安全实现
+    - 防止跨请求或跨线程的状态污染
+    """
+    from functools import wraps
+    
+    @wraps(func)
+    def wrapper(request=None, **credentials):
+        from django.contrib.auth import get_user_model
+        
+        UserModel = get_user_model()
+        
+        def custom_get_or_create(*args, **kwargs):
+            create_username = kwargs.get('username')
+            logger.debug(f"get_or_create: thread_id={threading.get_ident()}, username={create_username}")
+
+            # 如果当前线程正在执行 authenticate 且仅允许已存在用户认证，则提前判断用户是否存在
+            if (
+                getattr(_auth_thread_context, 'in_authenticate', False) and 
+                settings.ONLY_ALLOW_EXIST_USER_AUTH
+            ):
+                try:
+                    UserModel.objects.get(username=create_username)
+                except UserModel.DoesNotExist:
+                    raise OnlyAllowExistUserAuthError
+
+            # 调用 Django 原始方法（已是绑定方法，直接传参）
+            return _django_original_get_or_create(*args, **kwargs)
+        
+        
+        try:
+            # 执行前：设置线程上下文和 monkey-patch
+            setattr(_auth_thread_context, 'in_authenticate', True)
+            UserModel.objects.get_or_create = custom_get_or_create
+
+            # 执行原函数
+            return func(request, **credentials)
+        finally:
+            # 执行后：清理线程上下文和恢复原始方法
+            try:
+                if hasattr(_auth_thread_context, 'in_authenticate'):
+                    delattr(_auth_thread_context, 'in_authenticate')
+            except Exception:
+                pass
+            try:
+                UserModel.objects.get_or_create = _django_original_get_or_create
+            except Exception:
+                pass
+    
+    return wrapper
+
 
 def _get_backends(return_tuples=False):
     backends = []
@@ -48,39 +131,17 @@ def _get_backends(return_tuples=False):
     return backends
 
 
-class OnlyAllowExistUserAuthError(Exception):
-    pass
-
-
 auth._get_backends = _get_backends
 
 
+@_authenticate_context
 def authenticate(request=None, **credentials):
     """
     If the given credentials are valid, return a User object.
-    之所以 hack 这个 authenticate
     """
 
-    UserModel = get_user_model()
-    original_get_or_create = UserModel.objects.get_or_create
-
-    thread_local = threading.local()
-    thread_local.thread_id = threading.get_ident()
-
-    def custom_get_or_create(self, *args, **kwargs):
-        logger.debug(f"get_or_create: thread_id={threading.get_ident()}, username={username}")
-        if threading.get_ident() != thread_local.thread_id or not settings.ONLY_ALLOW_EXIST_USER_AUTH:
-            return original_get_or_create(*args, **kwargs)
-        create_username = kwargs.get('username')
-        try:
-            UserModel.objects.get(username=create_username)
-        except UserModel.DoesNotExist:
-            raise OnlyAllowExistUserAuthError
-        return original_get_or_create(*args, **kwargs)
-
-    username = credentials.get('username')
-
     temp_user = None
+    username = credentials.get('username')
     for backend, backend_path in _get_backends(return_tuples=True):
         # 检查用户名是否允许认证 (预先检查，不浪费认证时间)
         logger.info('Try using auth backend: {}'.format(str(backend)))
@@ -94,27 +155,28 @@ def authenticate(request=None, **credentials):
         except TypeError:
             # This backend doesn't accept these credentials as arguments. Try the next one.
             continue
+        
         try:
-            UserModel.objects.get_or_create = custom_get_or_create.__get__(UserModel.objects)
             user = backend.authenticate(request, **credentials)
         except PermissionDenied:
             # This backend says to stop in our tracks - this user should not be allowed in at all.
             break
         except OnlyAllowExistUserAuthError:
-            request.error_message = _(
-                '''The administrator has enabled "Only allow existing users to log in", 
-                and the current user is not in the user list. Please contact the administrator.'''
-            )
+            if request:
+                request.error_message = _(
+                    '''The administrator has enabled "Only allow existing users to log in", 
+                    and the current user is not in the user list. Please contact the administrator.'''
+                )
             continue
-        finally:
-            UserModel.objects.get_or_create = original_get_or_create
+        
         if user is None:
             continue
 
         if not user.is_valid:
             temp_user = user
             temp_user.backend = backend_path
-            request.error_message = _('User is invalid')
+            if request:
+                request.error_message = _('User is invalid')
             return temp_user
 
         # 检查用户是否允许认证
@@ -129,8 +191,11 @@ def authenticate(request=None, **credentials):
     else:
         if temp_user is not None:
             source_display = temp_user.source_display
-            request.error_message = _('''The administrator has enabled 'Only allow login from user source'. 
-            The current user source is {}. Please contact the administrator.''').format(source_display)
+            if request:
+                request.error_message = _(
+                    ''' The administrator has enabled 'Only allow login from user source'. 
+                    The current user source is {}. Please contact the administrator. '''
+                ).format(source_display)
             return temp_user
 
     # The credentials supplied are invalid to all backends, fire signal
@@ -228,7 +293,8 @@ class AuthPreCheckMixin:
         if not settings.ONLY_ALLOW_EXIST_USER_AUTH:
             return
 
-        exist = User.objects.filter(username=username).exists()
+        q = Q(username=username) | Q(email=username)
+        exist = User.objects.filter(q).exists()
         if not exist:
             logger.error(f"Only allow exist user auth, login failed: {username}")
             self.raise_credential_error(errors.reason_user_not_exist)

apps/authentication/serializers/token.py

@@ -9,11 +9,12 @@ from common.utils import get_object_or_none, random_string
 from users.models import User
 from users.serializers import UserProfileSerializer
 from ..models import AccessKey, TempToken
+from oauth2_provider.models import get_access_token_model
 
 __all__ = [
     'AccessKeySerializer', 'BearerTokenSerializer',
     'SSOTokenSerializer', 'TempTokenSerializer',
-    'AccessKeyCreateSerializer'
+    'AccessKeyCreateSerializer', 'AccessTokenSerializer',
 ]
 
 
@@ -114,3 +115,28 @@ class TempTokenSerializer(serializers.ModelSerializer):
         token = TempToken(**kwargs)
         token.save()
         return token
+
+
+class AccessTokenSerializer(serializers.ModelSerializer):
+    token_preview = serializers.SerializerMethodField(label=_("Token"))
+
+    class Meta:
+        model = get_access_token_model()
+        fields = [
+            'id', 'user', 'token_preview', 'is_valid',
+            'is_expired', 'expires', 'scope', 'created', 'updated',
+        ]
+        read_only_fields = fields
+        extra_kwargs = {
+            'scope': { 'label': _('Scope') },
+            'expires': { 'label': _('Date expired') },
+            'updated': { 'label': _('Date updated') },
+            'created': { 'label': _('Date created') },
+        }
+
+
+    def get_token_preview(self, obj):
+        token_string = obj.token
+        if len(token_string) > 16: 
+            return f"{token_string[:6]}...{token_string[-4:]}"
+        return "****"

apps/authentication/tasks.py

@@ -47,3 +47,9 @@ def clean_expire_token():
         count = TempToken.objects.filter(date_expired__lt=expired_time).delete()
         logging.info('Deleted %d temporary tokens.', count[0])
     logging.info('Cleaned expired temporary and connection tokens.')
+
+
+@register_as_period_task(crontab=CRONTAB_AT_AM_TWO)
+def clear_oauth2_provider_expired_tokens():
+    from oauth2_provider.models import clear_expired
+    clear_expired()

apps/authentication/urls/api_urls.py

@@ -16,6 +16,7 @@ router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'supe
 router.register('admin-connection-token', api.AdminConnectionTokenViewSet, 'admin-connection-token')
 router.register('confirm', api.UserConfirmationViewSet, 'confirm')
 router.register('ssh-key', api.SSHkeyViewSet, 'ssh-key')
+router.register('access-tokens', api.AccessTokenViewSet, 'access-token')
 
 urlpatterns = [
     path('<str:backend>/qr/unbind/', api.QRUnBindForUserApi.as_view(), name='qr-unbind'),

apps/authentication/urls/view_urls.py

@@ -83,4 +83,6 @@ urlpatterns = [
     path('oauth2/', include(('authentication.backends.oauth2.urls', 'authentication'), namespace='oauth2')),
 
     path('captcha/', include('captcha.urls')),
+
+    path('oauth2-provider/', include(('authentication.backends.oauth2_provider.urls', 'authentication'), namespace='oauth2-provider'))
 ]

apps/authentication/views/base.py

@@ -46,6 +46,15 @@ class BaseLoginCallbackView(AuthMixin, FlashMessageMixin, IMClientMixin, View):
     def verify_state(self):
         raise NotImplementedError
 
+    def get_next_url(self, request):
+        """
+        Get next url for redirect after authentication.
+        
+        Note: This method can be overridden in subclasses, but DO NOT DELETE.
+        Subclasses may rely on this interface for customizing redirect behavior.
+        """
+        pass
+
     def create_user_if_not_exist(self, user_id, **kwargs):
         user = None
         user_attr = self.client.get_user_detail(user_id, **kwargs)
@@ -112,6 +121,11 @@ class BaseLoginCallbackView(AuthMixin, FlashMessageMixin, IMClientMixin, View):
 
         if redirect_url and 'next=client' in redirect_url:
             self.request.META['QUERY_STRING'] += '&next=client'
+        
+        next_url = self.get_next_url(request)
+        if next_url:
+            # guard view 需要用到 session 中的 next 参数
+            request.session['next'] = next_url
         return self.redirect_to_guard_view()
 
 

apps/authentication/views/wecom.py

@@ -119,14 +119,15 @@ class WeComQRLoginView(WeComQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
     def get(self, request: HttpRequest):
-        redirect_url = request.GET.get('redirect_url') or reverse('index')
+
         next_url = self.get_next_url_from_meta() or reverse('index')
         next_url = safe_next_url(next_url, request=request)
+        # 当 next_url 包含 redirect_uri 到非本站点时(如 jms://)会触发企业微信的 waf 501 错误，因此需要存储在 session 中，然后在callback 中获取
+        wecom_tool.set_next_url_in_session(request, next_url)
+
+        redirect_url = request.GET.get('redirect_url') or reverse('index')
         redirect_uri = reverse('authentication:wecom-qr-login-callback', external=True)
-        redirect_uri += '?' + urlencode({
-            'redirect_url': redirect_url,
-            'next': next_url,
-        })
+        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
 
         url = self.get_qr_url(redirect_uri)
         return HttpResponseRedirect(url)
@@ -144,6 +145,10 @@ class WeComQRLoginCallbackView(WeComQRMixin, BaseLoginCallbackView):
     msg_user_not_bound_err = _('WeCom is not bound')
     msg_not_found_user_from_client_err = _('Failed to get user from WeCom')
 
+    def get_next_url(self, request):
+        next_url = wecom_tool.get_next_url_from_session(request)
+        return next_url
+
 
 class WeComOAuthLoginView(WeComOAuthMixin, View):
     permission_classes = (AllowAny,)

apps/common/drf/renders/base.py

@@ -183,6 +183,7 @@ class BaseFileRenderer(LogMixin, BaseRenderer):
         for item in data:
             row = []
             for field in render_fields:
+                field._row = item
                 value = item.get(field.field_name)
                 value = self.render_value(field, value)
                 row.append(value)

apps/common/sdk/im/wecom/__init__.py

@@ -192,6 +192,7 @@ class WeCom(RequestMixin):
 class WeComTool(object):
     WECOM_STATE_SESSION_KEY = '_wecom_state'
     WECOM_STATE_VALUE = 'wecom'
+    WECOM_STATE_NEXT_URL_KEY = 'wecom_oauth_next_url'
 
     @lazyproperty
     def qr_cb_url(self):
@@ -220,5 +221,11 @@ class WeComTool(object):
         }
         return URL.OAUTH_CONNECT + '?' + urlencode(params) + '#wechat_redirect'
 
+    def set_next_url_in_session(self, request, next_url):
+        request.session[self.WECOM_STATE_NEXT_URL_KEY] = next_url
+
+    def get_next_url_from_session(self, request):
+        return request.session.get(self.WECOM_STATE_NEXT_URL_KEY)
+
 
 wecom_tool = WeComTool()

apps/i18n/lina/en.json

@@ -280,7 +280,8 @@
     "CACertificate": "Ca certificate",
     "CAS": "CAS",
     "CMPP2": "Cmpp v2.0",
-    "CTYunPrivate": "eCloud Private Cloud",
+    "CTYun": "State Cloud",
+    "CTYunPrivate": "State Cloud(Private)",
     "CalculationResults": "Error in cron expression",
     "CallRecords": "Call Records",
     "CanDragSelect": "Select by dragging; Empty means all selected",
@@ -1634,5 +1635,8 @@
     "selectedAssets": "Selected assets",
     "setVariable": "Set variable",
     "userId": "User ID",
-    "userName": "User name"
-}
+    "userName": "User name",
+    "AccessToken": "Access tokens",
+    "AccessTokenTip": "Access Token is a temporary credential generated through the OAuth2 (Authorization Code Grant) flow using the JumpServer client, which is used to access protected resources.",
+    "Revoke": "Revoke"
+}

apps/i18n/lina/zh.json

@@ -279,6 +279,7 @@
     "CACertificate": "CA 证书",
     "CAS": "CAS",
     "CMPP2": "CMPP v2.0",
+    "CTYun": "天翼云",
     "CTYunPrivate": "天翼私有云",
     "CalculationResults": "cron 表达式错误",
     "CallRecords": "调用记录",
@@ -1644,5 +1645,8 @@
     "userId": "用户ID",
     "userName": "用户名",
     "Risk": "风险",
-    "selectFiles": "已选择选择{number}文件"
-}
+    "selectFiles": "已选择选择{number}文件",
+    "AccessToken": "访问令牌",
+    "AccessTokenTip": "访问令牌是通过 JumpServer 客户端使用 OAuth2（授权码授权）流程生成的临时凭证，用于访问受保护的资源。",
+    "Revoke": "撤销"
+}

apps/jumpserver/conf.py

@@ -381,7 +381,6 @@ class Config(dict):
         'CAS_USERNAME_ATTRIBUTE': 'cas:user',
         'CAS_APPLY_ATTRIBUTES_TO_USER': False,
         'CAS_RENAME_ATTRIBUTES': {'cas:user': 'username'},
-        'CAS_CREATE_USER': True,
         'CAS_ORG_IDS': [DEFAULT_ID],
 
         'AUTH_SSO': False,
@@ -692,9 +691,9 @@ class Config(dict):
         'FTP_FILE_MAX_STORE': 0,
 
         # API 分页
-        'MAX_LIMIT_PER_PAGE': 10000, # 给导出用
+        'MAX_LIMIT_PER_PAGE': 10000,  # 给导出用
         'MAX_PAGE_SIZE': 1000,
-        'DEFAULT_PAGE_SIZE': 200, # 给没有请求分页的用
+        'DEFAULT_PAGE_SIZE': 200,  # 给没有请求分页的用
 
         'LIMIT_SUPER_PRIV': False,
 
@@ -735,6 +734,10 @@ class Config(dict):
 
         # MCP
         'MCP_ENABLED': False,
+
+        # oauth2_provider settings 
+        'OAUTH2_PROVIDER_ACCESS_TOKEN_EXPIRE_SECONDS': 60 * 60,
+        'OAUTH2_PROVIDER_REFRESH_TOKEN_EXPIRE_SECONDS': 60 * 60 * 24 * 7,
     }
 
     old_config_map = {

apps/jumpserver/middleware.py

@@ -151,8 +151,13 @@ class SafeRedirectMiddleware:
 
         if not (300 <= response.status_code < 400):
             return response
-        if request.resolver_match and request.resolver_match.namespace.startswith('authentication'):
-            # 认证相关的路由跳过验证（core/auth/xxxx
+        if (
+            request.resolver_match and 
+            request.resolver_match.namespace.startswith('authentication') and 
+            not request.resolver_match.namespace.startswith('authentication:oauth2-provider')
+        ):
+            # 认证相关的路由跳过验证 /core/auth/..., 
+            # 但 oauth2-provider 除外, 因为它会重定向到第三方客户端, 希望给出更友好的提示
             return response
         location = response.get('Location')
         if not location:

apps/jumpserver/settings/auth.py

@@ -159,7 +159,7 @@ CAS_CHECK_NEXT = lambda _next_page: True
 CAS_USERNAME_ATTRIBUTE = CONFIG.CAS_USERNAME_ATTRIBUTE
 CAS_APPLY_ATTRIBUTES_TO_USER = CONFIG.CAS_APPLY_ATTRIBUTES_TO_USER
 CAS_RENAME_ATTRIBUTES = CONFIG.CAS_RENAME_ATTRIBUTES
-CAS_CREATE_USER = CONFIG.CAS_CREATE_USER
+CAS_CREATE_USER = True
 
 # SSO auth
 AUTH_SSO = CONFIG.AUTH_SSO

apps/jumpserver/settings/base.py

@@ -130,6 +130,7 @@ INSTALLED_APPS = [
     'settings.apps.SettingsConfig',
     'terminal.apps.TerminalConfig',
     'audits.apps.AuditsConfig',
+    'oauth2_provider',
     'authentication.apps.AuthenticationConfig',  # authentication
     'tickets.apps.TicketsConfig',
     'acls.apps.AclsConfig',

apps/jumpserver/settings/libs.py

@@ -30,6 +30,7 @@ REST_FRAMEWORK = {
     ),
     'DEFAULT_AUTHENTICATION_CLASSES': (
         # 'rest_framework.authentication.BasicAuthentication',
+        "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
         'authentication.backends.drf.AccessTokenAuthentication',
         'authentication.backends.drf.PrivateTokenAuthentication',
         'authentication.backends.drf.ServiceAuthentication',
@@ -222,3 +223,13 @@ PIICO_DRIVER_PATH = CONFIG.PIICO_DRIVER_PATH
 LEAK_PASSWORD_DB_PATH = CONFIG.LEAK_PASSWORD_DB_PATH
 
 JUMPSERVER_UPTIME = int(time.time())
+
+# OAuth2 Provider settings
+OAUTH2_PROVIDER = {
+    'ALLOWED_REDIRECT_URI_SCHEMES': ['https', 'jms'],
+    'PKCE_REQUIRED': True,
+    'ACCESS_TOKEN_EXPIRE_SECONDS': CONFIG.OAUTH2_PROVIDER_ACCESS_TOKEN_EXPIRE_SECONDS,
+    'REFRESH_TOKEN_EXPIRE_SECONDS': CONFIG.OAUTH2_PROVIDER_REFRESH_TOKEN_EXPIRE_SECONDS,
+}
+OAUTH2_PROVIDER_CLIENT_REDIRECT_URI = 'jms://auth/callback'
+OAUTH2_PROVIDER_JUMPSERVER_CLIENT_NAME = 'JumpServer Client'

apps/jumpserver/views/other.py

@@ -148,6 +148,6 @@ class RedirectConfirm(TemplateView):
         parsed = urlparse(url)
         if not parsed.scheme or not parsed.netloc:
             return False
-        if parsed.scheme not in ['http', 'https']:
+        if parsed.scheme not in ['http', 'https', 'jms']:
             return False
         return True

apps/rbac/const.py

@@ -133,6 +133,11 @@ exclude_permissions = (
     ('terminal', 'session', 'delete,change', 'command'),
     ('applications', '*', '*', '*'),
     ('settings', 'chatprompt', 'add,delete,change', 'chatprompt'),
+    ('oauth2_provider', 'grant', '*', '*'),
+    ('oauth2_provider', 'refreshtoken', '*', '*'),
+    ('oauth2_provider', 'idtoken', '*', '*'),
+    ('oauth2_provider', 'application', '*', '*'),
+    ('oauth2_provider', 'accesstoken', 'add,change', 'accesstoken')
 )
 
 only_system_permissions = (
@@ -160,6 +165,7 @@ only_system_permissions = (
     ('authentication', 'temptoken', '*', '*'),
     ('authentication', 'passkey', '*', '*'),
     ('authentication', 'ssotoken', '*', '*'),
+    ('oauth2_provider', 'accesstoken', '*', '*'),
     ('tickets', '*', '*', '*'),
     ('orgs', 'organization', 'view', 'rootorg'),
     ('terminal', 'applet', '*', '*'),

apps/rbac/tree.py

@@ -129,6 +129,7 @@ special_pid_mapper = {
     "rbac.view_systemtools": "view_workbench",
     'tickets.view_ticket': 'tickets',
     "audits.joblog": "job_audit",
+    'oauth2_provider.accesstoken': 'authentication',
 }
 
 special_setting_pid_mapper = {
@@ -184,6 +185,8 @@ verbose_name_mapper = {
     'tickets.view_ticket': _("Ticket"),
     'settings.setting': _("Common setting"),
     'rbac.view_permission': _('View permission tree'),
+    'authentication.passkey': _("Passkey"),
+    'oauth2_provider.accesstoken': _("Access token"),
 }
 
 xpack_nodes = [

apps/settings/serializers/auth/cas.py

@@ -37,11 +37,4 @@ class CASSettingSerializer(serializers.Serializer):
             "and the `value` is the JumpServer user attribute name"
         )
     )
-    CAS_CREATE_USER = serializers.BooleanField(
-        required=False, label=_('Create user'),
-        help_text=_(
-            'After successful user authentication, if the user does not exist, '
-            'automatically create the user'
-        )
-    )
-    CAS_ORG_IDS = OrgListField()
+    CAS_ORG_IDS = OrgListField()

apps/settings/utils/ldap.py

@@ -524,13 +524,16 @@ class LDAPTestUtil(object):
     # test server uri
 
     def _check_server_uri(self):
-        if not any([self.config.server_uri.startswith('ldap://') or
-                    self.config.server_uri.startswith('ldaps://')]):
+        if not (self.config.server_uri.startswith('ldap://') or
+                self.config.server_uri.startswith('ldaps://')):
             err = _('ldap:// or ldaps:// protocol is used.')
             raise LDAPInvalidServerError(err)
 
     def _test_server_uri(self):
-        self._test_connection_bind()
+        # 这里测试 server uri 是否能连通, 不进行 bind 操作, 不需要传入 bind dn 和密码
+        server = Server(self.config.server_uri, use_ssl=self.config.use_ssl)
+        connection = Connection(server)
+        connection.open()
 
     def test_server_uri(self):
         try:

jms

@@ -132,6 +132,13 @@ def install_builtin_applets():
         logging.error("Install builtin applets err: {}".format(e))
 
 
+def init_oauth2_provider():
+    logging.info("Initialize OAuth2 Provider")
+    try:
+        management.call_command('init_oauth2_provider', verbosity=0)
+    except Exception as e:
+        logging.error("Initialize OAuth2 Provider err: {}".format(e))
+
 def upgrade_db():
     collect_static()
     perform_db_migrate()
@@ -143,6 +150,7 @@ def prepare():
     expire_caches()
     download_ip_db()
     install_builtin_applets()
+    init_oauth2_provider()
 
 
 def start_services():

pyproject.toml

@@ -8,7 +8,7 @@ dependencies = [
     'aiofiles==23.1.0',
     'amqp==5.1.1',
     'ansible-core',
-    'ansible==7.1.0',
+    'ansible==12.2.0',
     'ansible-runner',
     'asn1crypto==1.5.1',
     'bcrypt==4.0.1',
@@ -84,7 +84,7 @@ dependencies = [
     'rest-condition==1.0.3',
     'drf-spectacular==0.28.0',
     'pillow==10.2.0',
-    'pytz==2023.3',
+    'pytz==2025.2',
     'django-proxy==1.2.2',
     'python-daemon==3.0.1',
     'eventlet==0.40.3',
@@ -152,6 +152,7 @@ dependencies = [
     'playwright==1.55.0',
     'pdf2image==1.17.0',
     'drf-spectacular-sidecar==2025.8.1',
+    "django-oauth-toolkit==2.4.0",
 ]
 
 [project.urls]

utils/delete_oauth2_provider_application.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+
+function delete_oauth2_provider_applications() {
+python3 ../apps/manage.py shell << EOF
+from oauth2_provider.models import *
+apps = Application.objects.all()
+apps.delete()
+print("OAuth2 Provider Applications deleted successfully!")
+EOF
+}
+
+delete_oauth2_provider_applications