providers/proxy: fix issuer for embedded outpost (#4480)
fix issuer for embedded outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
c61529e4d4
commit
c11367553e
|
@ -70,19 +70,29 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
|||
ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)
|
||||
}
|
||||
|
||||
var verifier = oidc.NewVerifier(p.OidcConfiguration.Issuer, ks, &oidc.Config{
|
||||
ClientID: *p.ClientId,
|
||||
SupportedSigningAlgs: []string{"RS256", "HS256"},
|
||||
})
|
||||
|
||||
redirectUri, _ := url.Parse(p.ExternalHost)
|
||||
redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback")
|
||||
redirectUri.RawQuery = url.Values{
|
||||
CallbackSignature: []string{"true"},
|
||||
}.Encode()
|
||||
|
||||
managed := false
|
||||
if ak.Outpost.Managed.IsSet() {
|
||||
m := *ak.Outpost.Managed.Get()
|
||||
managed = m == "goauthentik.io/outposts/embedded"
|
||||
}
|
||||
// Configure an OpenID Connect aware OAuth2 client.
|
||||
endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string))
|
||||
endpoint := GetOIDCEndpoint(
|
||||
p,
|
||||
ak.Outpost.Config["authentik_host"].(string),
|
||||
managed,
|
||||
)
|
||||
|
||||
verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{
|
||||
ClientID: *p.ClientId,
|
||||
SupportedSigningAlgs: []string{"RS256", "HS256"},
|
||||
})
|
||||
|
||||
oauth2Config := oauth2.Config{
|
||||
ClientID: *p.ClientId,
|
||||
ClientSecret: *p.ClientSecret,
|
||||
|
|
|
@ -15,11 +15,23 @@ type OIDCEndpoint struct {
|
|||
TokenIntrospection string
|
||||
EndSessionEndpoint string
|
||||
JwksUri string
|
||||
Issuer string
|
||||
}
|
||||
|
||||
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
|
||||
func updateURL(rawUrl string, scheme string, host string) string {
|
||||
u, err := url.Parse(rawUrl)
|
||||
if err != nil {
|
||||
return rawUrl
|
||||
}
|
||||
u.Host = host
|
||||
u.Scheme = scheme
|
||||
return u.String()
|
||||
}
|
||||
|
||||
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
|
||||
authUrl := p.OidcConfiguration.AuthorizationEndpoint
|
||||
endUrl := p.OidcConfiguration.EndSessionEndpoint
|
||||
tokenUrl := p.OidcConfiguration.TokenEndpoint
|
||||
jwksUrl := p.OidcConfiguration.JwksUri
|
||||
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
|
||||
host := os.Getenv("AUTHENTIK_HOST")
|
||||
|
@ -30,26 +42,15 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
|
|||
ep := OIDCEndpoint{
|
||||
Endpoint: oauth2.Endpoint{
|
||||
AuthURL: authUrl,
|
||||
TokenURL: p.OidcConfiguration.TokenEndpoint,
|
||||
TokenURL: tokenUrl,
|
||||
AuthStyle: oauth2.AuthStyleInParams,
|
||||
},
|
||||
EndSessionEndpoint: endUrl,
|
||||
JwksUri: jwksUrl,
|
||||
TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
|
||||
Issuer: p.OidcConfiguration.Issuer,
|
||||
}
|
||||
authU, err := url.Parse(authUrl)
|
||||
if err != nil {
|
||||
return ep
|
||||
}
|
||||
endU, err := url.Parse(endUrl)
|
||||
if err != nil {
|
||||
return ep
|
||||
}
|
||||
jwksU, err := url.Parse(jwksUrl)
|
||||
if err != nil {
|
||||
return ep
|
||||
}
|
||||
if authU.Host != "localhost:8000" {
|
||||
if !embedded {
|
||||
return ep
|
||||
}
|
||||
if authentikHost == "" {
|
||||
|
@ -60,14 +61,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
|
|||
if err != nil {
|
||||
return ep
|
||||
}
|
||||
authU.Host = aku.Host
|
||||
authU.Scheme = aku.Scheme
|
||||
endU.Host = aku.Host
|
||||
endU.Scheme = aku.Scheme
|
||||
jwksU.Host = aku.Host
|
||||
jwksU.Scheme = aku.Scheme
|
||||
ep.AuthURL = authU.String()
|
||||
ep.EndSessionEndpoint = endU.String()
|
||||
ep.JwksUri = jwksU.String()
|
||||
ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)
|
||||
ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)
|
||||
ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)
|
||||
ep.TokenURL = updateURL(tokenUrl, aku.Scheme, aku.Host)
|
||||
ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)
|
||||
return ep
|
||||
}
|
||||
|
|
Reference in a new issue