This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/internal/outpost/proxyv2/application/auth_bearer.go

63 lines
1.7 KiB
Go
Raw Normal View History

package application
import (
"encoding/json"
"net/http"
"net/url"
"strings"
)
func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
auth := r.Header.Get(HeaderAuthorization)
if auth == "" {
return ""
}
if len(auth) < len(AuthBearer) || !strings.EqualFold(auth[:len(AuthBearer)], AuthBearer) {
return ""
}
return auth[len(AuthBearer):]
}
type TokenIntrospectionResponse struct {
Claims
Scope string `json:"scope"`
Active bool `json:"active"`
ClientID string `json:"client_id"`
}
func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
values := url.Values{
"client_id": []string{a.oauthConfig.ClientID},
"client_secret": []string{a.oauthConfig.ClientSecret},
"token": []string{token},
}
req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
if err != nil {
a.log.WithError(err).Warning("failed to create introspection request")
return nil
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
res, err := a.httpClient.Do(req)
if err != nil || res.StatusCode > 200 {
a.log.WithError(err).Warning("failed to send introspection request")
return nil
}
intro := TokenIntrospectionResponse{}
err = json.NewDecoder(res.Body).Decode(&intro)
if err != nil {
a.log.WithError(err).Warning("failed to parse introspection response")
return nil
}
if !intro.Active {
a.log.Warning("token is not active")
return nil
}
if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
a.log.Error("token missing openid or profile scope")
return nil
}
intro.RawToken = token
a.log.Trace("successfully introspected bearer token")
return &intro
}