providers/proxy: fix issuer for embedded outpost (#4480)
fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
c61529e4d4
commit
c11367553e
|
@ -70,19 +70,29 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
||||||
ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)
|
ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)
|
||||||
}
|
}
|
||||||
|
|
||||||
var verifier = oidc.NewVerifier(p.OidcConfiguration.Issuer, ks, &oidc.Config{
|
|
||||||
ClientID: *p.ClientId,
|
|
||||||
SupportedSigningAlgs: []string{"RS256", "HS256"},
|
|
||||||
})
|
|
||||||
|
|
||||||
redirectUri, _ := url.Parse(p.ExternalHost)
|
redirectUri, _ := url.Parse(p.ExternalHost)
|
||||||
redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback")
|
redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback")
|
||||||
redirectUri.RawQuery = url.Values{
|
redirectUri.RawQuery = url.Values{
|
||||||
CallbackSignature: []string{"true"},
|
CallbackSignature: []string{"true"},
|
||||||
}.Encode()
|
}.Encode()
|
||||||
|
|
||||||
|
managed := false
|
||||||
|
if ak.Outpost.Managed.IsSet() {
|
||||||
|
m := *ak.Outpost.Managed.Get()
|
||||||
|
managed = m == "goauthentik.io/outposts/embedded"
|
||||||
|
}
|
||||||
// Configure an OpenID Connect aware OAuth2 client.
|
// Configure an OpenID Connect aware OAuth2 client.
|
||||||
endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string))
|
endpoint := GetOIDCEndpoint(
|
||||||
|
p,
|
||||||
|
ak.Outpost.Config["authentik_host"].(string),
|
||||||
|
managed,
|
||||||
|
)
|
||||||
|
|
||||||
|
verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{
|
||||||
|
ClientID: *p.ClientId,
|
||||||
|
SupportedSigningAlgs: []string{"RS256", "HS256"},
|
||||||
|
})
|
||||||
|
|
||||||
oauth2Config := oauth2.Config{
|
oauth2Config := oauth2.Config{
|
||||||
ClientID: *p.ClientId,
|
ClientID: *p.ClientId,
|
||||||
ClientSecret: *p.ClientSecret,
|
ClientSecret: *p.ClientSecret,
|
||||||
|
|
|
@ -15,11 +15,23 @@ type OIDCEndpoint struct {
|
||||||
TokenIntrospection string
|
TokenIntrospection string
|
||||||
EndSessionEndpoint string
|
EndSessionEndpoint string
|
||||||
JwksUri string
|
JwksUri string
|
||||||
|
Issuer string
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
|
func updateURL(rawUrl string, scheme string, host string) string {
|
||||||
|
u, err := url.Parse(rawUrl)
|
||||||
|
if err != nil {
|
||||||
|
return rawUrl
|
||||||
|
}
|
||||||
|
u.Host = host
|
||||||
|
u.Scheme = scheme
|
||||||
|
return u.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
|
||||||
authUrl := p.OidcConfiguration.AuthorizationEndpoint
|
authUrl := p.OidcConfiguration.AuthorizationEndpoint
|
||||||
endUrl := p.OidcConfiguration.EndSessionEndpoint
|
endUrl := p.OidcConfiguration.EndSessionEndpoint
|
||||||
|
tokenUrl := p.OidcConfiguration.TokenEndpoint
|
||||||
jwksUrl := p.OidcConfiguration.JwksUri
|
jwksUrl := p.OidcConfiguration.JwksUri
|
||||||
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
|
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
|
||||||
host := os.Getenv("AUTHENTIK_HOST")
|
host := os.Getenv("AUTHENTIK_HOST")
|
||||||
|
@ -30,26 +42,15 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
|
||||||
ep := OIDCEndpoint{
|
ep := OIDCEndpoint{
|
||||||
Endpoint: oauth2.Endpoint{
|
Endpoint: oauth2.Endpoint{
|
||||||
AuthURL: authUrl,
|
AuthURL: authUrl,
|
||||||
TokenURL: p.OidcConfiguration.TokenEndpoint,
|
TokenURL: tokenUrl,
|
||||||
AuthStyle: oauth2.AuthStyleInParams,
|
AuthStyle: oauth2.AuthStyleInParams,
|
||||||
},
|
},
|
||||||
EndSessionEndpoint: endUrl,
|
EndSessionEndpoint: endUrl,
|
||||||
JwksUri: jwksUrl,
|
JwksUri: jwksUrl,
|
||||||
TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
|
TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
|
||||||
|
Issuer: p.OidcConfiguration.Issuer,
|
||||||
}
|
}
|
||||||
authU, err := url.Parse(authUrl)
|
if !embedded {
|
||||||
if err != nil {
|
|
||||||
return ep
|
|
||||||
}
|
|
||||||
endU, err := url.Parse(endUrl)
|
|
||||||
if err != nil {
|
|
||||||
return ep
|
|
||||||
}
|
|
||||||
jwksU, err := url.Parse(jwksUrl)
|
|
||||||
if err != nil {
|
|
||||||
return ep
|
|
||||||
}
|
|
||||||
if authU.Host != "localhost:8000" {
|
|
||||||
return ep
|
return ep
|
||||||
}
|
}
|
||||||
if authentikHost == "" {
|
if authentikHost == "" {
|
||||||
|
@ -60,14 +61,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ep
|
return ep
|
||||||
}
|
}
|
||||||
authU.Host = aku.Host
|
ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)
|
||||||
authU.Scheme = aku.Scheme
|
ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)
|
||||||
endU.Host = aku.Host
|
ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)
|
||||||
endU.Scheme = aku.Scheme
|
ep.TokenURL = updateURL(tokenUrl, aku.Scheme, aku.Host)
|
||||||
jwksU.Host = aku.Host
|
ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)
|
||||||
jwksU.Scheme = aku.Scheme
|
|
||||||
ep.AuthURL = authU.String()
|
|
||||||
ep.EndSessionEndpoint = endU.String()
|
|
||||||
ep.JwksUri = jwksU.String()
|
|
||||||
return ep
|
return ep
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue