trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-01-21 13:29:51 +01:00
parent dd8b579dd6
commit 9fc5ff4b77
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
internal/outpost/proxyv2/application/endpoint.go
View File

@ -13,15 +13,18 @@ import (
type OIDCEndpoint struct { type OIDCEndpoint struct {
oauth2.Endpoint oauth2.Endpoint
EndSessionEndpoint string EndSessionEndpoint string
JwksUri string
} }
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint { func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
authUrl := p.OidcConfiguration.AuthorizationEndpoint authUrl := p.OidcConfiguration.AuthorizationEndpoint
endUrl := p.OidcConfiguration.EndSessionEndpoint endUrl := p.OidcConfiguration.EndSessionEndpoint
jwksUrl := p.OidcConfiguration.JwksUri
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" { if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
host := os.Getenv("AUTHENTIK_HOST") host := os.Getenv("AUTHENTIK_HOST")
authUrl = strings.ReplaceAll(authUrl, host, browserHost) authUrl = strings.ReplaceAll(authUrl, host, browserHost)
endUrl = strings.ReplaceAll(endUrl, host, browserHost) endUrl = strings.ReplaceAll(endUrl, host, browserHost)
jwksUrl = strings.ReplaceAll(jwksUrl, host, browserHost)
} }
ep := OIDCEndpoint{ ep := OIDCEndpoint{
Endpoint: oauth2.Endpoint{ Endpoint: oauth2.Endpoint{
@ -30,6 +33,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
AuthStyle: oauth2.AuthStyleInParams, AuthStyle: oauth2.AuthStyleInParams,
}, },
EndSessionEndpoint: endUrl, EndSessionEndpoint: endUrl,
JwksUri: jwksUrl,
} }
authU, err := url.Parse(authUrl) authU, err := url.Parse(authUrl)
if err != nil { if err != nil {
@ -39,6 +43,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
if err != nil { if err != nil {
return ep return ep
} }
jwksU, err := url.Parse(jwksUrl)
if err != nil {
return ep
}
if authU.Host != "localhost:8000" { if authU.Host != "localhost:8000" {
return ep return ep
} }
@ -54,7 +62,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
authU.Scheme = aku.Scheme authU.Scheme = aku.Scheme
endU.Host = aku.Host endU.Host = aku.Host
endU.Scheme = aku.Scheme endU.Scheme = aku.Scheme
jwksU.Host = aku.Host
jwksU.Scheme = aku.Scheme
ep.AuthURL = authU.String() ep.AuthURL = authU.String()
ep.EndSessionEndpoint = endU.String() ep.EndSessionEndpoint = endU.String()
ep.JwksUri = jwksU.String()
return ep return ep
} }

2
internal/outpost/proxyv2/application/mode_common.go
View File

@ -22,7 +22,7 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
headers.Set("X-authentik-jwt", c.RawToken) headers.Set("X-authentik-jwt", c.RawToken)
// System headers // System headers
headers.Set("X-authentik-meta-jwks", a.proxyConfig.OidcConfiguration.JwksUri) headers.Set("X-authentik-meta-jwks", a.endpint.JwksUri)
headers.Set("X-authentik-meta-outpost", a.outpostName) headers.Set("X-authentik-meta-outpost", a.outpostName)
headers.Set("X-authentik-meta-provider", a.proxyConfig.Name) headers.Set("X-authentik-meta-provider", a.proxyConfig.Name)
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug) headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)