outposts/proxy: fix error handling, remove requirement for profile/etc scopes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
829e49275d
commit
4c45d35507
|
@ -104,23 +104,18 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
|||
}
|
||||
a.sessions = a.getStore(p, externalHost)
|
||||
mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
|
||||
s, err := a.sessions.Get(r, constants.SessionName)
|
||||
if err != nil {
|
||||
return l
|
||||
}
|
||||
claims, ok := s.Values[constants.SessionClaims]
|
||||
if claims == nil || !ok {
|
||||
return l
|
||||
}
|
||||
c, ok := claims.(Claims)
|
||||
if !ok {
|
||||
c := a.getClaimsFromSession(r)
|
||||
if c == nil {
|
||||
return l
|
||||
}
|
||||
if c.PreferredUsername != "" {
|
||||
return l.WithField("request_username", c.PreferredUsername)
|
||||
}
|
||||
return l.WithField("request_username", c.Sub)
|
||||
}))
|
||||
mux.Use(func(inner http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||
c, _ := a.checkAuth(rw, r)
|
||||
c := a.getClaimsFromSession(r)
|
||||
user := ""
|
||||
if c != nil {
|
||||
user = c.PreferredUsername
|
||||
|
|
|
@ -52,10 +52,6 @@ func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenInt
|
|||
a.log.Warning("token is not active")
|
||||
return nil
|
||||
}
|
||||
if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
|
||||
a.log.Error("token missing openid or profile scope")
|
||||
return nil
|
||||
}
|
||||
intro.RawToken = token
|
||||
a.log.Trace("successfully introspected bearer token")
|
||||
return &intro
|
||||
|
|
|
@ -29,6 +29,9 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
|
|||
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
|
||||
headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
|
||||
|
||||
if c.Proxy == nil {
|
||||
return
|
||||
}
|
||||
userAttributes := c.Proxy.UserAttributes
|
||||
// Attempt to set basic auth based on user's attributes
|
||||
if *a.proxyConfig.BasicAuthEnabled {
|
||||
|
|
|
@ -33,6 +33,13 @@ func (a *Application) configureProxy() error {
|
|||
rp.ErrorHandler = a.newProxyErrorHandler()
|
||||
rp.ModifyResponse = a.proxyModifyResponse
|
||||
a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||
defer func() {
|
||||
err := recover()
|
||||
if err == nil || err == http.ErrAbortHandler {
|
||||
return
|
||||
}
|
||||
log.WithError(err.(error)).Error("recover in reverse proxy")
|
||||
}()
|
||||
claims, err := a.checkAuth(rw, r)
|
||||
if claims == nil && a.IsAllowlisted(r.URL) {
|
||||
a.log.Trace("path can be accessed without authentication")
|
||||
|
@ -45,13 +52,6 @@ func (a *Application) configureProxy() error {
|
|||
}
|
||||
before := time.Now()
|
||||
rp.ServeHTTP(rw, r)
|
||||
defer func() {
|
||||
err := recover()
|
||||
if err == nil || err == http.ErrAbortHandler {
|
||||
return
|
||||
}
|
||||
log.WithError(err.(error)).Error("recover in reverse proxy")
|
||||
}()
|
||||
after := time.Since(before)
|
||||
|
||||
metrics.UpstreamTiming.With(prometheus.Labels{
|
||||
|
@ -68,9 +68,9 @@ func (a *Application) configureProxy() error {
|
|||
func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
|
||||
return func(r *http.Request) {
|
||||
r.Header.Set("X-Forwarded-Host", r.Host)
|
||||
claims, _ := a.checkAuth(nil, r)
|
||||
r.URL.Scheme = ou.Scheme
|
||||
r.URL.Host = ou.Host
|
||||
claims := a.getClaimsFromSession(r)
|
||||
if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
|
||||
u, err := url.Parse(claims.Proxy.BackendOverride)
|
||||
if err != nil {
|
||||
|
@ -85,6 +85,6 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
|
|||
}
|
||||
|
||||
func (a *Application) proxyModifyResponse(res *http.Response) error {
|
||||
res.Header.Set("X-Powered-By", "authentik_proxy2")
|
||||
res.Header.Set("X-Powered-By", "goauthentik.io")
|
||||
return nil
|
||||
}
|
||||
|
|
Reference in New Issue