providers/proxy: add token support for basic auth
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
555b33c252
commit
3170b2f92c
|
@ -28,7 +28,7 @@ func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claim
|
||||||
bearer := a.checkAuthHeaderBearer(r)
|
bearer := a.checkAuthHeaderBearer(r)
|
||||||
if bearer != "" {
|
if bearer != "" {
|
||||||
a.log.Trace("checking bearer token")
|
a.log.Trace("checking bearer token")
|
||||||
tc := a.attemptBearerAuth(r, bearer)
|
tc := a.attemptBearerAuth(bearer)
|
||||||
if tc != nil {
|
if tc != nil {
|
||||||
return a.saveAndCacheClaims(rw, r, tc.Claims)
|
return a.saveAndCacheClaims(rw, r, tc.Claims)
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,15 @@ type TokenResponse struct {
|
||||||
IDToken string `json:"id_token"`
|
IDToken string `json:"id_token"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const JWTUsername = "goauthentik.io/token"
|
||||||
|
|
||||||
func (a *Application) attemptBasicAuth(username, password string) *Claims {
|
func (a *Application) attemptBasicAuth(username, password string) *Claims {
|
||||||
|
if username == JWTUsername {
|
||||||
|
res := a.attemptBearerAuth(password)
|
||||||
|
if res != nil {
|
||||||
|
return &res.Claims
|
||||||
|
}
|
||||||
|
}
|
||||||
values := url.Values{
|
values := url.Values{
|
||||||
"grant_type": []string{"client_credentials"},
|
"grant_type": []string{"client_credentials"},
|
||||||
"client_id": []string{a.oauthConfig.ClientID},
|
"client_id": []string{a.oauthConfig.ClientID},
|
||||||
|
|
|
@ -27,7 +27,7 @@ type TokenIntrospectionResponse struct {
|
||||||
ClientID string `json:"client_id"`
|
ClientID string `json:"client_id"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenIntrospectionResponse {
|
func (a *Application) attemptBearerAuth(token string) *TokenIntrospectionResponse {
|
||||||
values := url.Values{
|
values := url.Values{
|
||||||
"client_id": []string{a.oauthConfig.ClientID},
|
"client_id": []string{a.oauthConfig.ClientID},
|
||||||
"client_secret": []string{a.oauthConfig.ClientSecret},
|
"client_secret": []string{a.oauthConfig.ClientSecret},
|
||||||
|
|
|
@ -41,6 +41,8 @@ If the received credentials are invalid, a normal authentication flow is initiat
|
||||||
It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
|
It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
|
Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication.
|
||||||
|
|
||||||
### Receiving HTTP Bearer authentication
|
### Receiving HTTP Bearer authentication
|
||||||
|
|
||||||
:::info
|
:::info
|
||||||
|
|
Reference in a new issue