cd12e177ea
* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
79 lines
1.8 KiB
Go
79 lines
1.8 KiB
Go
package application
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
|
)
|
|
|
|
const HeaderAuthorization = "Authorization"
|
|
const AuthBearer = "Bearer "
|
|
|
|
// checkAuth Get claims which are currently in session
|
|
// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
|
|
func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) {
|
|
s, _ := a.sessions.Get(r, constants.SessionName)
|
|
|
|
c := a.getClaimsFromSession(r)
|
|
if c != nil {
|
|
return c, nil
|
|
}
|
|
|
|
if rw == nil {
|
|
return nil, fmt.Errorf("no response writer")
|
|
}
|
|
// Check bearer token if set
|
|
bearer := a.checkAuthHeaderBearer(r)
|
|
if bearer != "" {
|
|
a.log.Trace("checking bearer token")
|
|
tc := a.attemptBearerAuth(r, bearer)
|
|
if tc != nil {
|
|
s.Values[constants.SessionClaims] = tc.Claims
|
|
err := s.Save(r, rw)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
r.Header.Del(HeaderAuthorization)
|
|
return &tc.Claims, nil
|
|
}
|
|
a.log.Trace("no/invalid bearer token")
|
|
}
|
|
// Check basic auth if set
|
|
username, password, basicSet := r.BasicAuth()
|
|
if basicSet {
|
|
a.log.Trace("checking basic auth")
|
|
tc := a.attemptBasicAuth(username, password)
|
|
if tc != nil {
|
|
s.Values[constants.SessionClaims] = *tc
|
|
err := s.Save(r, rw)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
r.Header.Del(HeaderAuthorization)
|
|
return tc, nil
|
|
}
|
|
a.log.Trace("no/invalid basic auth")
|
|
}
|
|
|
|
return nil, fmt.Errorf("failed to get claims from session")
|
|
}
|
|
|
|
func (a *Application) getClaimsFromSession(r *http.Request) *Claims {
|
|
s, err := a.sessions.Get(r, constants.SessionName)
|
|
if err != nil {
|
|
// err == user has no session/session is not valid, reject
|
|
return nil
|
|
}
|
|
claims, ok := s.Values[constants.SessionClaims]
|
|
if claims == nil || !ok {
|
|
// no claims saved, reject
|
|
return nil
|
|
}
|
|
c, ok := claims.(Claims)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
return &c
|
|
}
|