providers/proxy: fix issuer for embedded outpost (#4480)

fix issuer for embedded outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-01-19 15:39:30 +01:00 committed by GitHub
parent c61529e4d4
commit c11367553e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 30 deletions

View file

@ -70,19 +70,29 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri) ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)
} }
var verifier = oidc.NewVerifier(p.OidcConfiguration.Issuer, ks, &oidc.Config{
ClientID: *p.ClientId,
SupportedSigningAlgs: []string{"RS256", "HS256"},
})
redirectUri, _ := url.Parse(p.ExternalHost) redirectUri, _ := url.Parse(p.ExternalHost)
redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback") redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback")
redirectUri.RawQuery = url.Values{ redirectUri.RawQuery = url.Values{
CallbackSignature: []string{"true"}, CallbackSignature: []string{"true"},
}.Encode() }.Encode()
managed := false
if ak.Outpost.Managed.IsSet() {
m := *ak.Outpost.Managed.Get()
managed = m == "goauthentik.io/outposts/embedded"
}
// Configure an OpenID Connect aware OAuth2 client. // Configure an OpenID Connect aware OAuth2 client.
endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string)) endpoint := GetOIDCEndpoint(
p,
ak.Outpost.Config["authentik_host"].(string),
managed,
)
verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{
ClientID: *p.ClientId,
SupportedSigningAlgs: []string{"RS256", "HS256"},
})
oauth2Config := oauth2.Config{ oauth2Config := oauth2.Config{
ClientID: *p.ClientId, ClientID: *p.ClientId,
ClientSecret: *p.ClientSecret, ClientSecret: *p.ClientSecret,

View file

@ -15,11 +15,23 @@ type OIDCEndpoint struct {
TokenIntrospection string TokenIntrospection string
EndSessionEndpoint string EndSessionEndpoint string
JwksUri string JwksUri string
Issuer string
} }
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint { func updateURL(rawUrl string, scheme string, host string) string {
u, err := url.Parse(rawUrl)
if err != nil {
return rawUrl
}
u.Host = host
u.Scheme = scheme
return u.String()
}
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
authUrl := p.OidcConfiguration.AuthorizationEndpoint authUrl := p.OidcConfiguration.AuthorizationEndpoint
endUrl := p.OidcConfiguration.EndSessionEndpoint endUrl := p.OidcConfiguration.EndSessionEndpoint
tokenUrl := p.OidcConfiguration.TokenEndpoint
jwksUrl := p.OidcConfiguration.JwksUri jwksUrl := p.OidcConfiguration.JwksUri
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" { if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
host := os.Getenv("AUTHENTIK_HOST") host := os.Getenv("AUTHENTIK_HOST")
@ -30,26 +42,15 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
ep := OIDCEndpoint{ ep := OIDCEndpoint{
Endpoint: oauth2.Endpoint{ Endpoint: oauth2.Endpoint{
AuthURL: authUrl, AuthURL: authUrl,
TokenURL: p.OidcConfiguration.TokenEndpoint, TokenURL: tokenUrl,
AuthStyle: oauth2.AuthStyleInParams, AuthStyle: oauth2.AuthStyleInParams,
}, },
EndSessionEndpoint: endUrl, EndSessionEndpoint: endUrl,
JwksUri: jwksUrl, JwksUri: jwksUrl,
TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint, TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
Issuer: p.OidcConfiguration.Issuer,
} }
authU, err := url.Parse(authUrl) if !embedded {
if err != nil {
return ep
}
endU, err := url.Parse(endUrl)
if err != nil {
return ep
}
jwksU, err := url.Parse(jwksUrl)
if err != nil {
return ep
}
if authU.Host != "localhost:8000" {
return ep return ep
} }
if authentikHost == "" { if authentikHost == "" {
@ -60,14 +61,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
if err != nil { if err != nil {
return ep return ep
} }
authU.Host = aku.Host ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)
authU.Scheme = aku.Scheme ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)
endU.Host = aku.Host ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)
endU.Scheme = aku.Scheme ep.TokenURL = updateURL(tokenUrl, aku.Scheme, aku.Host)
jwksU.Host = aku.Host ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)
jwksU.Scheme = aku.Scheme
ep.AuthURL = authU.String()
ep.EndSessionEndpoint = endU.String()
ep.JwksUri = jwksU.String()
return ep return ep
} }