2023-01-13 15:22:03 +00:00
|
|
|
package application
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
2023-01-14 21:20:52 +00:00
|
|
|
|
|
|
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
2023-01-13 15:22:03 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
|
2023-01-14 21:20:52 +00:00
|
|
|
auth := r.Header.Get(constants.HeaderAuthorization)
|
2023-01-13 15:22:03 +00:00
|
|
|
if auth == "" {
|
|
|
|
return ""
|
|
|
|
}
|
2023-01-14 21:20:52 +00:00
|
|
|
if len(auth) < len(constants.AuthBearer) || !strings.EqualFold(auth[:len(constants.AuthBearer)], constants.AuthBearer) {
|
2023-01-13 15:22:03 +00:00
|
|
|
return ""
|
|
|
|
}
|
2023-01-14 21:20:52 +00:00
|
|
|
return auth[len(constants.AuthBearer):]
|
2023-01-13 15:22:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type TokenIntrospectionResponse struct {
|
|
|
|
Claims
|
|
|
|
Scope string `json:"scope"`
|
|
|
|
Active bool `json:"active"`
|
|
|
|
ClientID string `json:"client_id"`
|
|
|
|
}
|
|
|
|
|
2023-02-07 21:50:49 +00:00
|
|
|
func (a *Application) attemptBearerAuth(token string) *TokenIntrospectionResponse {
|
2023-01-13 15:22:03 +00:00
|
|
|
values := url.Values{
|
|
|
|
"client_id": []string{a.oauthConfig.ClientID},
|
|
|
|
"client_secret": []string{a.oauthConfig.ClientSecret},
|
|
|
|
"token": []string{token},
|
|
|
|
}
|
|
|
|
req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
|
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("failed to create introspection request")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
res, err := a.httpClient.Do(req)
|
|
|
|
if err != nil || res.StatusCode > 200 {
|
|
|
|
a.log.WithError(err).Warning("failed to send introspection request")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
intro := TokenIntrospectionResponse{}
|
|
|
|
err = json.NewDecoder(res.Body).Decode(&intro)
|
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("failed to parse introspection response")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if !intro.Active {
|
|
|
|
a.log.Warning("token is not active")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
intro.RawToken = token
|
|
|
|
a.log.Trace("successfully introspected bearer token")
|
|
|
|
return &intro
|
|
|
|
}
|