providers/proxy: fix JWKS url in embedded outpost (#6644)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-08-28 00:52:01 +02:00 · 2023-08-28 00:52:01 +02:00 · 1410169af1
parent 85bc35eb41
commit 1410169af1
2 changed files with 15 additions and 12 deletions
--- a/internal/outpost/proxyv2/application/endpoint.go
+++ b/internal/outpost/proxyv2/application/endpoint.go
@ -30,6 +30,7 @@ func updateURL(rawUrl string, scheme string, host string) string {
 func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
 	authUrl := p.OidcConfiguration.AuthorizationEndpoint
 	endUrl := p.OidcConfiguration.EndSessionEndpoint
 	jwksUri := p.OidcConfiguration.JwksUri
 	issuer := p.OidcConfiguration.Issuer
 	ep := OIDCEndpoint{
 		Endpoint: oauth2.Endpoint{
@ -38,10 +39,14 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
 			AuthStyle: oauth2.AuthStyleInParams,
 		},
 		EndSessionEndpoint: endUrl,
-		JwksUri:            p.OidcConfiguration.JwksUri,
+		JwksUri:            jwksUri,
 		TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
 		Issuer:             issuer,
 	}
 	aku, err := url.Parse(authentikHost)
 	if err != nil {
 		return ep
 	}
 	// For the embedded outpost, we use the configure `authentik_host` for the browser URLs
 	// and localhost (which is what we've got from the API) for backchannel URLs
 	//
@ -51,27 +56,24 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
 	if !embedded && hostBrowser == "" {
 		return ep
 	}
-	var newHost *url.URL
+	var newHost *url.URL = aku
 	var newBrowserHost *url.URL
 	if embedded {
 		if authentikHost == "" {
 			log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.")
 			return ep
 		}
-		aku, err := url.Parse(authentikHost)
+		newBrowserHost = aku
 		if err != nil {
 			return ep
 		}
 		newHost = aku
 	} else if hostBrowser != "" {
-		aku, err := url.Parse(hostBrowser)
+		browser, err := url.Parse(hostBrowser)
 		if err != nil {
 			return ep
 		}
-		newHost = aku
+		newBrowserHost = browser
 	}
 	// Update all browser-accessed URLs to use the new host and scheme
-	ep.AuthURL = updateURL(authUrl, newHost.Scheme, newHost.Host)
+	ep.AuthURL = updateURL(authUrl, newBrowserHost.Scheme, newBrowserHost.Host)
-	ep.EndSessionEndpoint = updateURL(endUrl, newHost.Scheme, newHost.Host)
+	ep.EndSessionEndpoint = updateURL(endUrl, newBrowserHost.Scheme, newBrowserHost.Host)
 	// Update issuer to use the same host and scheme, which would normally break as we don't
 	// change the token URL here, but the token HTTP transport overwrites the Host header
 	//
@ -79,6 +81,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
 	// is routed correctly
 	if embedded {
 		ep.Issuer = updateURL(ep.Issuer, newHost.Scheme, newHost.Host)
 		ep.JwksUri = updateURL(jwksUri, newHost.Scheme, newHost.Host)
 	}
 	return ep
 }
--- a/internal/outpost/proxyv2/application/endpoint_test.go
+++ b/internal/outpost/proxyv2/application/endpoint_test.go
@ -82,7 +82,7 @@ func TestEndpointEmbedded(t *testing.T) {
 	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/authorize/", ep.AuthURL)
 	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/", ep.Issuer)
 	assert.Equal(t, "https://test.goauthentik.io/application/o/token/", ep.TokenURL)
-	assert.Equal(t, "https://test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri)
+	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/jwks/", ep.JwksUri)
 	assert.Equal(t, "https://authentik-host.test.goauthentik.io/application/o/test-app/end-session/", ep.EndSessionEndpoint)
 	assert.Equal(t, "https://test.goauthentik.io/application/o/introspect/", ep.TokenIntrospection)
 }