providers/proxy: fix JWKS url in embedded outpost (#6644)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-08-28 00:52:01 +02:00 committed by GitHub
parent 85bc35eb41
commit 1410169af1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 12 deletions

View File

@ -30,6 +30,7 @@ func updateURL(rawUrl string, scheme string, host string) string {
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint { func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
authUrl := p.OidcConfiguration.AuthorizationEndpoint authUrl := p.OidcConfiguration.AuthorizationEndpoint
endUrl := p.OidcConfiguration.EndSessionEndpoint endUrl := p.OidcConfiguration.EndSessionEndpoint
jwksUri := p.OidcConfiguration.JwksUri
issuer := p.OidcConfiguration.Issuer issuer := p.OidcConfiguration.Issuer
ep := OIDCEndpoint{ ep := OIDCEndpoint{
Endpoint: oauth2.Endpoint{ Endpoint: oauth2.Endpoint{
@ -38,10 +39,14 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
AuthStyle: oauth2.AuthStyleInParams, AuthStyle: oauth2.AuthStyleInParams,
}, },
EndSessionEndpoint: endUrl, EndSessionEndpoint: endUrl,
JwksUri: p.OidcConfiguration.JwksUri, JwksUri: jwksUri,
TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint, TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
Issuer: issuer, Issuer: issuer,
} }
aku, err := url.Parse(authentikHost)
if err != nil {
return ep
}
// For the embedded outpost, we use the configure `authentik_host` for the browser URLs // For the embedded outpost, we use the configure `authentik_host` for the browser URLs
// and localhost (which is what we've got from the API) for backchannel URLs // and localhost (which is what we've got from the API) for backchannel URLs
// //
@ -51,27 +56,24 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
if !embedded && hostBrowser == "" { if !embedded && hostBrowser == "" {
return ep return ep
} }
var newHost *url.URL var newHost *url.URL = aku
var newBrowserHost *url.URL
if embedded { if embedded {
if authentikHost == "" { if authentikHost == "" {
log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.") log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.")
return ep return ep
} }
aku, err := url.Parse(authentikHost) newBrowserHost = aku
if err != nil {
return ep
}
newHost = aku
} else if hostBrowser != "" { } else if hostBrowser != "" {
aku, err := url.Parse(hostBrowser) browser, err := url.Parse(hostBrowser)
if err != nil { if err != nil {
return ep return ep
} }
newHost = aku newBrowserHost = browser
} }
// Update all browser-accessed URLs to use the new host and scheme // Update all browser-accessed URLs to use the new host and scheme
ep.AuthURL = updateURL(authUrl, newHost.Scheme, newHost.Host) ep.AuthURL = updateURL(authUrl, newBrowserHost.Scheme, newBrowserHost.Host)
ep.EndSessionEndpoint = updateURL(endUrl, newHost.Scheme, newHost.Host) ep.EndSessionEndpoint = updateURL(endUrl, newBrowserHost.Scheme, newBrowserHost.Host)
// Update issuer to use the same host and scheme, which would normally break as we don't // Update issuer to use the same host and scheme, which would normally break as we don't
// change the token URL here, but the token HTTP transport overwrites the Host header // change the token URL here, but the token HTTP transport overwrites the Host header
// //
@ -79,6 +81,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
// is routed correctly // is routed correctly
if embedded { if embedded {
ep.Issuer = updateURL(ep.Issuer, newHost.Scheme, newHost.Host) ep.Issuer = updateURL(ep.Issuer, newHost.Scheme, newHost.Host)
ep.JwksUri = updateURL(jwksUri, newHost.Scheme, newHost.Host)
} }
return ep return ep
} }

View File

@ -82,7 +82,7 @@ func TestEndpointEmbedded(t *testing.T) {
assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/authorize/", ep.AuthURL) assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/authorize/", ep.AuthURL)
assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/", ep.Issuer) assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/", ep.Issuer)
assert.Equal(t, "https://test.goauthentik.io/application/o/token/", ep.TokenURL) assert.Equal(t, "https://test.goauthentik.io/application/o/token/", ep.TokenURL)
assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri) assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri)
assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/end-session/", ep.EndSessionEndpoint) assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/end-session/", ep.EndSessionEndpoint)
assert.Equal(t, "https://test.goauthentik.io/application/o/introspect/", ep.TokenIntrospection) assert.Equal(t, "https://test.goauthentik.io/application/o/introspect/", ep.TokenIntrospection)
} }