From c11367553e07e2762c0b4f9c5838119b9ecce96a Mon Sep 17 00:00:00 2001 From: Jens L Date: Thu, 19 Jan 2023 15:39:30 +0100 Subject: [PATCH] providers/proxy: fix issuer for embedded outpost (#4480) fix issuer for embedded outpost Signed-off-by: Jens Langhammer Signed-off-by: Jens Langhammer --- .../proxyv2/application/application.go | 22 ++++++--- .../outpost/proxyv2/application/endpoint.go | 45 +++++++++---------- 2 files changed, 37 insertions(+), 30 deletions(-) diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go index 4c6402253..26aecbe61 100644 --- a/internal/outpost/proxyv2/application/application.go +++ b/internal/outpost/proxyv2/application/application.go @@ -70,19 +70,29 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri) } - var verifier = oidc.NewVerifier(p.OidcConfiguration.Issuer, ks, &oidc.Config{ - ClientID: *p.ClientId, - SupportedSigningAlgs: []string{"RS256", "HS256"}, - }) - redirectUri, _ := url.Parse(p.ExternalHost) redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback") redirectUri.RawQuery = url.Values{ CallbackSignature: []string{"true"}, }.Encode() + managed := false + if ak.Outpost.Managed.IsSet() { + m := *ak.Outpost.Managed.Get() + managed = m == "goauthentik.io/outposts/embedded" + } // Configure an OpenID Connect aware OAuth2 client. - endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string)) + endpoint := GetOIDCEndpoint( + p, + ak.Outpost.Config["authentik_host"].(string), + managed, + ) + + verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{ + ClientID: *p.ClientId, + SupportedSigningAlgs: []string{"RS256", "HS256"}, + }) + oauth2Config := oauth2.Config{ ClientID: *p.ClientId, ClientSecret: *p.ClientSecret, diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go index 44b2713df..8c32a63fb 100644 --- a/internal/outpost/proxyv2/application/endpoint.go +++ b/internal/outpost/proxyv2/application/endpoint.go @@ -15,11 +15,23 @@ type OIDCEndpoint struct { TokenIntrospection string EndSessionEndpoint string JwksUri string + Issuer string } -func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint { +func updateURL(rawUrl string, scheme string, host string) string { + u, err := url.Parse(rawUrl) + if err != nil { + return rawUrl + } + u.Host = host + u.Scheme = scheme + return u.String() +} + +func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint { authUrl := p.OidcConfiguration.AuthorizationEndpoint endUrl := p.OidcConfiguration.EndSessionEndpoint + tokenUrl := p.OidcConfiguration.TokenEndpoint jwksUrl := p.OidcConfiguration.JwksUri if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" { host := os.Getenv("AUTHENTIK_HOST") @@ -30,26 +42,15 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin ep := OIDCEndpoint{ Endpoint: oauth2.Endpoint{ AuthURL: authUrl, - TokenURL: p.OidcConfiguration.TokenEndpoint, + TokenURL: tokenUrl, AuthStyle: oauth2.AuthStyleInParams, }, EndSessionEndpoint: endUrl, JwksUri: jwksUrl, TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint, + Issuer: p.OidcConfiguration.Issuer, } - authU, err := url.Parse(authUrl) - if err != nil { - return ep - } - endU, err := url.Parse(endUrl) - if err != nil { - return ep - } - jwksU, err := url.Parse(jwksUrl) - if err != nil { - return ep - } - if authU.Host != "localhost:8000" { + if !embedded { return ep } if authentikHost == "" { @@ -60,14 +61,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin if err != nil { return ep } - authU.Host = aku.Host - authU.Scheme = aku.Scheme - endU.Host = aku.Host - endU.Scheme = aku.Scheme - jwksU.Host = aku.Host - jwksU.Scheme = aku.Scheme - ep.AuthURL = authU.String() - ep.EndSessionEndpoint = endU.String() - ep.JwksUri = jwksU.String() + ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host) + ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host) + ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host) + ep.TokenURL = updateURL(tokenUrl, aku.Scheme, aku.Host) + ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host) return ep }