authentik/internal/outpost/proxyv2/application/endpoint.go

package application

import (
	"net/url"
	"os"
	"strings"

	log "github.com/sirupsen/logrus"
	"goauthentik.io/api/v3"
	"golang.org/x/oauth2"
)

type OIDCEndpoint struct {
	oauth2.Endpoint
	TokenIntrospection string
	EndSessionEndpoint string
	JwksUri            string
	Issuer             string
}

func updateURL(rawUrl string, scheme string, host string) string {
	u, err := url.Parse(rawUrl)
	if err != nil {
		return rawUrl
	}
	u.Host = host
	u.Scheme = scheme
	return u.String()
}

func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
	authUrl := p.OidcConfiguration.AuthorizationEndpoint
	endUrl := p.OidcConfiguration.EndSessionEndpoint
	tokenUrl := p.OidcConfiguration.TokenEndpoint
	jwksUrl := p.OidcConfiguration.JwksUri
	if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
		host := os.Getenv("AUTHENTIK_HOST")
		authUrl = strings.ReplaceAll(authUrl, host, browserHost)
		endUrl = strings.ReplaceAll(endUrl, host, browserHost)
		jwksUrl = strings.ReplaceAll(jwksUrl, host, browserHost)
	}
	ep := OIDCEndpoint{
		Endpoint: oauth2.Endpoint{
			AuthURL:   authUrl,
			TokenURL:  tokenUrl,
			AuthStyle: oauth2.AuthStyleInParams,
		},
		EndSessionEndpoint: endUrl,
		JwksUri:            jwksUrl,
		TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
		Issuer:             p.OidcConfiguration.Issuer,
	}
	if !embedded {
		return ep
	}
	if authentikHost == "" {
		log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.")
		return ep
	}
	aku, err := url.Parse(authentikHost)
	if err != nil {
		return ep
	}
	ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)
	ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)
	ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)
	ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)
	return ep
}
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`package application`

			`import (`
			`"net/url"`
			`"os"`
			`"strings"`

			`log "github.com/sirupsen/logrus"`
internal: bump api client to v3 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-03-03 09:40:07 +00:00			`"goauthentik.io/api/v3"`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`"golang.org/x/oauth2"`
			`)`

			`type OIDCEndpoint struct {`
			`oauth2.Endpoint`
providers/proxy: add initial header token auth (#4421) * initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-13 15:22:03 +00:00			`TokenIntrospection string`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`EndSessionEndpoint string`
outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-01-21 12:29:51 +00:00			`JwksUri string`
providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`Issuer string`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`}`

providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`func updateURL(rawUrl string, scheme string, host string) string {`
			`u, err := url.Parse(rawUrl)`
			`if err != nil {`
			`return rawUrl`
			`}`
			`u.Host = host`
			`u.Scheme = scheme`
			`return u.String()`
			`}`

			`func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`authUrl := p.OidcConfiguration.AuthorizationEndpoint`
			`endUrl := p.OidcConfiguration.EndSessionEndpoint`
providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`tokenUrl := p.OidcConfiguration.TokenEndpoint`
outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-01-21 12:29:51 +00:00			`jwksUrl := p.OidcConfiguration.JwksUri`
outposts: make AUTHENTIK_HOST_BROWSER configurable from central config closes #1471 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-26 10:00:51 +00:00			`if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`host := os.Getenv("AUTHENTIK_HOST")`
			`authUrl = strings.ReplaceAll(authUrl, host, browserHost)`
			`endUrl = strings.ReplaceAll(endUrl, host, browserHost)`
outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-01-21 12:29:51 +00:00			`jwksUrl = strings.ReplaceAll(jwksUrl, host, browserHost)`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`}`
			`ep := OIDCEndpoint{`
			`Endpoint: oauth2.Endpoint{`
			`AuthURL: authUrl,`
providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`TokenURL: tokenUrl,`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`AuthStyle: oauth2.AuthStyleInParams,`
			`},`
			`EndSessionEndpoint: endUrl,`
outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-01-21 12:29:51 +00:00			`JwksUri: jwksUrl,`
outposts/proxy: fix proxy's TokenIntrospection potentially not being set Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-14 19:54:34 +00:00			`TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,`
providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`Issuer: p.OidcConfiguration.Issuer,`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`}`
providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`if !embedded {`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`return ep`
			`}`
			`if authentikHost == "" {`
			`log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.")`
			`return ep`
			`}`
			`aku, err := url.Parse(authentikHost)`
			`if err != nil {`
			`return ep`
			`}`
providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-19 14:39:30 +00:00			`ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)`
			`ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)`
			`ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)`
			`ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)`
outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-09-09 09:00:58 +00:00			`return ep`
			`}`