This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/internal/outpost/proxyv2/application/auth.go
Jens L cd12e177ea
providers/proxy: add initial header token auth (#4421)
* initial implementation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* check for openid/profile claims

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include jwks sources in proxy provider

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add web ui for jwks

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only show sources with JWKS data configured

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix introspection tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start basic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add basic auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs, update admonitions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add client_id to api, add tab for auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00

79 lines
1.8 KiB
Go

package application
import (
"fmt"
"net/http"
"goauthentik.io/internal/outpost/proxyv2/constants"
)
const HeaderAuthorization = "Authorization"
const AuthBearer = "Bearer "
// checkAuth Get claims which are currently in session
// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) {
s, _ := a.sessions.Get(r, constants.SessionName)
c := a.getClaimsFromSession(r)
if c != nil {
return c, nil
}
if rw == nil {
return nil, fmt.Errorf("no response writer")
}
// Check bearer token if set
bearer := a.checkAuthHeaderBearer(r)
if bearer != "" {
a.log.Trace("checking bearer token")
tc := a.attemptBearerAuth(r, bearer)
if tc != nil {
s.Values[constants.SessionClaims] = tc.Claims
err := s.Save(r, rw)
if err != nil {
return nil, err
}
r.Header.Del(HeaderAuthorization)
return &tc.Claims, nil
}
a.log.Trace("no/invalid bearer token")
}
// Check basic auth if set
username, password, basicSet := r.BasicAuth()
if basicSet {
a.log.Trace("checking basic auth")
tc := a.attemptBasicAuth(username, password)
if tc != nil {
s.Values[constants.SessionClaims] = *tc
err := s.Save(r, rw)
if err != nil {
return nil, err
}
r.Header.Del(HeaderAuthorization)
return tc, nil
}
a.log.Trace("no/invalid basic auth")
}
return nil, fmt.Errorf("failed to get claims from session")
}
func (a *Application) getClaimsFromSession(r *http.Request) *Claims {
s, err := a.sessions.Get(r, constants.SessionName)
if err != nil {
// err == user has no session/session is not valid, reject
return nil
}
claims, ok := s.Values[constants.SessionClaims]
if claims == nil || !ok {
// no claims saved, reject
return nil
}
c, ok := claims.(Claims)
if !ok {
return nil
}
return &c
}